Open eduardomourar opened 3 years ago
would it be fair to expect someone to create the SLR using AWS::IAM::ServiceLinkedRole?
i would have no problem with that. although, i believe the approach used by the native AWS resources is to create the service-linked role automatically: https://github.com/aws-cloudformation/aws-cloudformation-resource-providers-ecr/blob/da26794f4c45a99e939d325f8f5bceed9c4fd1af/aws-ecr-replicationconfiguration/aws-ecr-replicationconfiguration.json#L96
ServiceLinkRole should be created by the RP
If you try to create the CloudFormation service quota for stacks in an AWS account that has never been used with Service Quotas, the following error happens in
Community::ServiceQuotas::CloudFormation
resource type v0.1.0:Even after adding the following policy to the execution role, it still did not work:
The CloudTrail event:
As a workaround, I have been able to create the service-linked role myself through the CLI beforehand:
aws iam create-service-linked-role --aws-service-name servicequotas.amazonaws.com
.Because the
servicequotas.amazonaws.com
does not have MFA authenticated set to true, the resource provider making the call directly to IAM to create the service-linked role would be a possible solution.