Verify that you have permission to create service linked role

Rack (Version 3)
1

I had an error when attempting to create a new rds-postgres resource:
Verify that you have permission to create service linked role.

To resolve the issue I had to manually update the “api-rds-provisioner” inline policy on the “{RACK NAME}-api” IAM role to include this:

{
			"Effect": "Allow",
			"Action": "iam:CreateServiceLinkedRole",
			"Resource": "arn:aws:iam::*:role/aws-service-role/rds.amazonaws.com/AWSServiceRoleForRDS",
			"Condition": {
				"StringLike": {
					"iam:AWSServiceName": "rds.amazonaws.com"
				}
			}
		}
2

Hey @rhysawilliams2010

What rack version are you currently running on?
You can find this in the output of convox rack or convox rack params

I believe AWS made some changes along these lines, but we’ve applied rack updates which should solve any issues.

I just reran our unit testing for v3 RDS postgres and there were no errors.

3

I first installed client: 3.19.6 then upgraded to client: 3.19.7 and it still didn’t work

4

@rhysawilliams2010

Can you please provide me with the convox.yml (redacted if needed) you’re deploying with so I can take a look. Feel free to DM it if you prefer.

5

Hi Nick, this is my convox.yml:

version: '3'
resources:
  database:
    type: rds-postgres
    options:
      version: 16
      encrypted: true
      class: db.t3.micro
      deletionProtection: true
      durable: true
      backupRetentionPeriod: 7
services:
  app:
    build: .
    port: 8080
    health: /actuator/health
    scale:
      cpu: 256
      memory: 1024
    resources:
      - database
6

Hey @rhysawilliams2010,

I just took your exact convox.yml sans healthcheck path and deployed with no issues.

I believe what you may be confusing is the difference between CLI and rack versions.

Even if your client (CLI) is updated to a later version, you must also update your rack.

  • You can check your rack’s current version with the commands convox rack -r <rack-name> or convox rack params -r <rack-name>.
  • The command convox version will show your client (CLI) and server (actively addressed rack convox switch <rack-name>) version. Once actively addressed, the -r <rack-name> flag no longer needs to be appended to commands if you desire.


  • The command convox rack update <version> -r <rack-name> will update your rack to the desired version. Please be sure to read up on the documentation regarding v3 versioning, as it requires step-wise updates through the minor versions to support Kubernetes update paths.
  • The command convox update will only update your CLI.
7

@Nick-Convox I am aware of the difference between the cli version and the rack version. This was definitely an issue for me until I changed the IAM role. I have created a PR that I believe fixes the issue here: Enable CreateServiceLinkedRole for rds-provisioner by rhys-lastmyle · Pull Request #864 · convox/convox · GitHub