Why am I receiving an error when I try to create an Amazon EC2 Auto Scaling lifecycle hook?

Lesedauer: 3 Minute
0

I'm receiving a validation error when I try to create an Amazon Elastic Compute Cloud (Amazon EC2) Auto Scaling lifecycle hook. The error reads "Unable to publish test message to notification target" or "Please check your target and role configuration and try to put lifecycle hook again." How do I troubleshoot these errors?

Short description

To publish a message to the Amazon Simple Queue Service (Amazon SQS), the lifecycle hook's AWS Identity and Access Management (IAM) role must:

  • Be different from the IAM role assigned to the instance.
  • Be listed as a key user on the AWS Key Management Service (AWS KMS) key policy.
  • Have a trust policy attached for the Auto Scaling service.
  • Include specific managed policy actions.
  • Be associated with the Amazon EC2 Auto Scaling group.
  • Have access to the encryption key used by Amazon SQS.

Resolution

1.    Confirm that you're using an IAM role for the lifecycle hook that's different from the IAM role you've assigned to the instance.

Note: You can create an IAM role, or use the following AWS managed role that has all of the necessary permissions:

arn:aws:iam::aws:policy/service-role/AutoScalingNotificationAccessRole

2.    Verify that the role is included as a key user on the KMS key policy. To do this:

Open the AWS KMS console.
Select the KMS key.
Verify that the role is listed under Key users on the Key policy tab. If the role isn't listed, search for it, and then select Add.

3.    Be sure that the IAM role for the lifecycle hook has a trust policy attached for the Amazon EC2 Auto Scaling service.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Service": "autoscaling.amazonaws.com"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}

4.    Verify that the managed policy for the lifecycle hook's IAM role includes the following actions:
For SQS messagessqs:SendMessage
sqs:GetQueueUrl

For SNS notifications
sns:Publish

5.    In the AWS Command Line Interface (AWS CLI), run the aws autoscaling put-lifecycle-hook command.

6.    Run the command below to confirm that the lifecycle hook is associated with the Auto Scaling group.

aws autoscaling describe-lifecycle-hooks --auto-scaling-group-name "ExampleSQSQueueName"

Note: If you receive errors when running AWS CLI commands, make sure that you’re using the most recent version of the AWS CLI.


Related information

Amazon EC2 Auto Scaling lifecycle hooks

AWS OFFICIAL
AWS OFFICIALAktualisiert vor 3 Jahren