Auto Scaling Group LifecycleHooks, SQS, and IAM

AWS offers Lifecycle Hooks for AutoScaling Groups that allow you to respond to a change in instance state. For example, publishing create/terminate events to an SQS queue:

aws autoscaling put-lifecycle-hook \
 --lifecycle-hook-name "${HOOK}_launching" \
 --auto-scaling-group-name "$ASG_NAME" \
 --notification-target-arn "$SQS_ARN" \
 --role-arn "$ROLE_ARN" \
 --lifecycle-transition "autoscaling:EC2_INSTANCE_LAUNCHING"

aws autoscaling put-lifecycle-hook \
 --lifecycle-hook-name "${HOOK}_terminating" \
 --auto-scaling-group-name "$ASG_NAME" \
 --notification-target-arn "$SQS_ARN" \
 --role-arn "$ROLE_ARN" \
 --lifecycle-transition "autoscaling:EC2_INSTANCE_TERMINATING"

The instructions for doing so are pretty straightforward, but I ran into an irritating error:

An error occurred (ValidationError) when calling the PutLifecycleHook operation: Unable to publish test message to notification target arn:aws:sqs:us-west-2:123456:my-sqs-queue.fifo using IAM role arn:aws:iam:1234:role/my-asg-role. Please check your target and role configuration and try to put lifecycle hook again.

All of the search results for that error turned up solutions involving incorrect IAM policies. This should not be the case if you simply add the AutoScalingNotificationAccessRole per the instructions. For reference, the correct settings are below.

In my case, however, it turns out that AutoScaling can’t publish to a FIFO queue. Recreating the queue as a standard queue fixed this problem for me.

arn:aws:iam::aws:policy/service-role/AutoScalingNotificationAccessRole:

{
    "Version": "2012-10-17",
    "Statement": [{
         "Effect": "Allow",
         "Resource": "*",
         "Action": [
             "sqs:SendMessage",
             "sqs:GetQueueUrl",
             "sns:Publish"
         ]
    }]
}

You’ll also want to verify that a Trust Relationship exists on your Role that allows the autoscale service to assume said role:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Service": "autoscaling.amazonaws.com"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}

 

Auto Scaling Group LifecycleHooks, SQS, and IAM

Leave a Reply