The default IamFleetRole changed on AWS-side?

[mumoshu]

kube-aws: v0.9.9-rc.3, but any version would be affected

I've just added a spot-fleet based node pool to my cluster and it failed like this:

The value for the IamFleetRole property was:

"IamFleetRole":{"Fn::Join":["",["arn:aws:iam::",{"Ref":"AWS::AccountId"},":role/aws-ec2-spot-fleet-role"]]}

which had certainly worked before.

As far as I remember, aws-ec2-spot-fleet-role was taken from the "Request Spot Instances" on AWS console because it was the default role at that time.
However, interestingly the default shown today is aws-ec2-spot-fleet-tagging-role.

Can we just change the default to the new role?
Does your AWS account shows the new role as the default one once you've browsed to the "Request Spot Instances" pane?

[cknowles]

I checked our accounts and it's still aws-ec2-spot-fleet-role there. Can't find aws-ec2-spot-fleet-tagging-role anywhere. Probably we need to just include our own role with the same permissions.

[mumoshu]

@c-knowles Would you mind reviewing your IAM roles after you've navigated to the second page after clicking "Request Spot Instances" button in your AWS console?
The reason I'm asking is that the new role seems to have CreateTags permission, which probably is missing in the old role. So whenever you navigate there today, I suppose the new default role should be created.

[mumoshu]

Update: docs.aws.amazon.com seems to include the new role in all the examples I've reviewed today.

Also relevant: hashicorp/terraform-provider-aws#1232

I'm not saying we should completely drop support or comment for the old role.
We should, at least, suggest in cluster.yaml comments to encourage users to navigate to the spot fleet request page once again to create the new role(if it is created in such way

[cknowles]

@mumoshu yes it has aws-ec2-spot-fleet-tagging-role there now I've clicked that so that does assume the user has taken the manual step to request a spot fleet prior to deploying. Since it's only a managed policy and not a managed role or service linked role, it seems like we could just create this role ourselves and remove that potential manual step?

[mumoshu]

@c-knowles Thanks for confirming!

it seems like we could just create this role ourselves and remove that potential manual step?

I had initially thought that I'd rather prefer not to create it ourselves - so that we can save number of IAM roles created by kube-aws.

However, I'm now convinced to do it - manual steps should be eliminated whereas possible

I'll open an another issue for that.

[cknowles]

@mumoshu yeah that's all I mean, if it's not a managed role then we're forced to include it 👍