Error creating service-linked role for Service Quotas

[eduardomourar]

If you try to create the CloudFormation service quota for stacks in an AWS account that has never been used with Service Quotas, the following error happens in Community::ServiceQuotas::CloudFormation resource type v0.1.0:

Error: Service-linked role creation access denied.

Even after adding the following policy to the execution role, it still did not work:

        {
            "Effect": "Allow",
            "Action": "iam:CreateServiceLinkedRole",
            "Resource": "arn:aws:iam::*:role/aws-service-role/servicequotas.amazonaws.com/AWSServiceRoleForServiceQuotas*",
            "Condition": {"StringLike": {"iam:AWSServiceName": "servicequotas.amazonaws.com"}}
        },
        {
            "Effect": "Allow",
            "Action": [
                "iam:AttachRolePolicy",
                "iam:PutRolePolicy"
            ],
            "Resource": "arn:aws:iam::*:role/aws-service-role/servicequotas.amazonaws.com/AWSServiceRoleForServiceQuotas*"
        }

The CloudTrail event:

{
    "eventVersion": "1.08",
    "userIdentity": {
        "type": "AssumedRole",
        "principalId": "<REDACTED>",
        "arn": "arn:aws:sts::123456789012:assumed-role/community-servicequotas-cloudformati-ExecutionRole-<REDACTED>/<REDACTED>",
        "accountId": "123456789012",
        "accessKeyId": "<REDACTED>",
        "sessionContext": {
            "sessionIssuer": {
                "type": "Role",
                "principalId": "<REDACTED>",
                "arn": "arn:aws:iam::123456789012:role/community-servicequotas-cloudformati-ExecutionRole-<REDACTED>",
                "accountId": "123456789012",
                "userName": "community-servicequotas-cloudformati-ExecutionRole-<REDACTED>"
            },
            "webIdFederationData": {},
            "attributes": {
                "mfaAuthenticated": "false",
                "creationDate": "<REDACTED>"
            }
        },
        "invokedBy": "servicequotas.amazonaws.com"
    },
    "eventTime": "<REDACTED>",
    "eventSource": "iam.amazonaws.com",
    "eventName": "CreateServiceLinkedRole",
    "awsRegion": "us-east-1",
    "sourceIPAddress": "servicequotas.amazonaws.com",
    "userAgent": "servicequotas.amazonaws.com",
    "errorCode": "AccessDenied",
    "errorMessage": "User: arn:aws:sts::123456789012:assumed-role/community-servicequotas-cloudformati-ExecutionRole-<REDACTED>/<REDACTED> is not authorized to perform: iam:CreateServiceLinkedRole on resource: arn:aws:iam::123456789012:role/aws-service-role/servicequotas.amazonaws.com/AWSServiceRoleForServiceQuotas",
    "requestParameters": null,
    "responseElements": null,
    "requestID": "<REDACTED>",
    "eventID": "<REDACTED>",
    "readOnly": false,
    "eventType": "AwsApiCall",
    "managementEvent": true,
    "eventCategory": "Management",
    "recipientAccountId": "123456789012"
}

As a workaround, I have been able to create the service-linked role myself through the CLI beforehand: aws iam create-service-linked-role --aws-service-name servicequotas.amazonaws.com.

Because the servicequotas.amazonaws.com does not have MFA authenticated set to true, the resource provider making the call directly to IAM to create the service-linked role would be a possible solution.

[OlafConijn]

would it be fair to expect someone to create the SLR using AWS::IAM::ServiceLinkedRole?

[eduardomourar]

i would have no problem with that. although, i believe the approach used by the native AWS resources is to create the service-linked role automatically: https://github.com/aws-cloudformation/aws-cloudformation-resource-providers-ecr/blob/da26794f4c45a99e939d325f8f5bceed9c4fd1af/aws-ecr-replicationconfiguration/aws-ecr-replicationconfiguration.json#L96

[OlafConijn]

ServiceLinkRole should be created by the RP