"The provided credentials do not have permission to create the service-linked role for EC2 Spot Instances" on start lambda

[Ezekiel-DA]

Hi @samchungy!

First, thanks for the hard work on this repo, it looks like exactly the solution I was looking for, especially compared to the various AWS Fargate based solutions out there that seem like they would cost a lot more to run.

I am attempting to deploy your project to my own AWS account, following the README, and I'm running into an issue when trying to start the server.

My AWS expertise is somewhat limited but the Github Action seems to have succeeded, I can see the objects I would expect on the S3 side, in CloudFormation, in Lambda, etc.

Right now to avoid adding Discord as another layer of complexity, I am attempting to call the valheim-dev-start-server Lambda directly from the AWS CLI or AWS Console. In both cases, the lambda fails, and the Cloudwatch logs contain the error below.

There is clearly some type of permission issue, but I am not familar enough with AWS to debug it, unfortunately. I have attempted to manually add various permissions that would seem to make sense to the IAM user provided to the Github action, and to both of the roles generated by your project, but clearly, blindly adding more and more permissions is not a great idea, and it doesn't seem to be helping anyway!

Any tips on what I'm doing wrong?

Thanks!

{
    "level": 50,
    "time": 1651209829217,
    "pid": 9,
    "hostname": "169.254.117.253",
    "awsRequestId": "fc125b2c-bfb7-411a-8b58-772088a2137a",
    "x-correlation-trace-id": "Root=1-626b7663-67efb17c2c7e5c0760405e76;Parent=6171f37650c59f9c;Sampled=0",
    "x-correlation-id": "fc125b2c-bfb7-411a-8b58-772088a2137a",
    "err": {
        "type": "Error",
        "message": "The provided credentials do not have permission to create the service-linked role for EC2 Spot Instances.",
        "stack": "AuthFailure.ServiceLinkedRoleCreationNotPermitted: The provided credentials do not have permission to create the service-linked role for EC2 Spot Instances.\n    at null.UPt (/node_modules/@aws-sdk/client-ec2/protocols/Aws_ec2.ts:30468:39)\n    at processTicksAndRejections (internal/process/task_queues.js:95:5)\n    at null.<anonymous> (/node_modules/@aws-sdk/middleware-serde/src/deserializerMiddleware.ts:18:20)\n    at null.<anonymous> (/node_modules/@aws-sdk/middleware-signing/src/middleware.ts:24:22)\n    at yZ.retry (/node_modules/@aws-sdk/middleware-retry/src/StandardRetryStrategy.ts:83:38)\n    at null.<anonymous> (/node_modules/@aws-sdk/middleware-logger/src/loggerMiddleware.ts:22:22)\n    at eUs (/src/functions/start-server/usecases/create-server.ts:95:22)\n    at $Ne (/src/functions/start-server/usecases/create-server.ts:188:34)\n    at async Promise.all (index 1)\n    at BFe (/src/functions/start-server/usecases/start-server.ts:6:3)",
        "Code": "AuthFailure.ServiceLinkedRoleCreationNotPermitted",
        "name": "AuthFailure.ServiceLinkedRoleCreationNotPermitted",
        "$fault": "client",
        "$metadata": {
            "httpStatusCode": 403,
            "requestId": "83d96a1b-affa-4fe4-8058-84b4002a64a9",
            "attempts": 1,
            "totalRetryDelay": 0
        }
    },
    "activity": "requestSpotInstance",
    "msg": "Sending spot instance request failed"
}

[samchungy]

Can you try adding iam:CreateServiceLinkedRole to https://github.com/samchungy/valheim-aws-spot-server/blob/ec6e9f213340035e0c864d8b5ac71efc36627e49/serverless.yml#L51

[Ezekiel-DA]

As is tradition while troubleshooting, I opened this issue after hours of trying on my own, kept looking after and found a possible solutions five minutes later:

aws iam create-service-linked-role --aws-service-name spot.amazonaws.com

However, I would much rather have a solution that works for everyone and is part of the project, so I'm currently deleting the role this command created, clearing all resources and starting over with your potential fix to test it out! Will report back in a bit.

[Ezekiel-DA]

Adding iam:CreateServiceLinkedRole definitely works! I went back and deleted my manually created role, deleted all resources, made sure things were failing again, then applied your change and confirmed everything is now working.

Thanks a bunch!