I tried to use resource aws_glue_job, but as soon as it's prepared to be launched, an error is shown as follows:
│ Error: error creating Glue Job (job): AccessDeniedException: Account 411xxxxxxxx (Account id) is denied access.
│
│ with aws_glue_job.job,
│ on main.tf line 94, in resource "aws_glue_job" "job":
│ 94: resource "aws_glue_job" "job" {
I checked the policies and apparently is okay. What might be doing it?
For some reason my issue was solved by creating and using a new account. This account being used previously was for test, that is why I did have no problems by changing It to a new one
We still have the same problem; even with sub-accounts of a totally new account. It seems like more and more people have the same issue:
Access Denied for Glue_Job in terraform
AWSGlue AccessDeniedException, Status Code 400
Access Denied When Create AWS Glue Crawler
AWS Glue gives AccessDeniedException
https://repost.aws/questions/QUhxdKlj4VSF-dzTXo7Xt3Iw/aws-glue-access-denied-exception-status-code-400
https://repost.aws/questions/QU7wLjCe0rR_Wp5VFgVKTIbg/unable-to-run-create-glue-job-from-root-user-getting-access-denied-exception
I had the exact same problem. Logging with TF_LOG (debbuging_terraform) helped me to be sure that this was not being caused by anything that I could fix.
If you have already verified policies (For example I attached AWSGlueConsoleFullAccess policy to the role creating glue job) and you have also verified that aws provider is correct, see: provider. You can open a ticket with billing & account and they will escalate this properly. They helped me and now I am able to create glue jobs again with the same account.
Related
AWS noob here. I am unable to find where in the management console do we see the access token. I have access to the secret key and the access key but apparently API access to AWS requires an access token as well which I am unable to find anywhere on the portal
Additional Information:
What I am looking for, is a way to create and destroy tokens via the management console provided by AWS. I am actually learning about terraform AWS provider which requires access key, secret key and the token.
Scraping the internet for answers, it becomes clear that one create and destroy these tokens using the SDK. I am looking at an easy and quick way to create this token via the management console itself. Is that even possible?
Accessing the AWS resource without a token gives me the following error:
aws_instance.sl-ec2-01: Creating...
╷
│ Error: creating EC2 Instance: InvalidAMIID.NotFound: The image id '[ami-07ffb2f4d65357b42]' does not exist
│ status code: 400, request id: 53057722-210e-46fa-89e3-2484f35ab263
│
│ with aws_instance.sl-ec2-01,
│ on ec2-instance.tf line 1, in resource "aws_instance" "sl-ec2-01":
│ 1: resource "aws_instance" "sl-ec2-01" {
this is the exact ami that I retrieved from the portal. My terraform code snippet for provisioning a new VM in the ap-south-1 region:
resource "aws_instance" "sl-ec2-01" {
instance_type = "t2.micro"
ami = "ami-07ffb2f4d65357b42"
}
Update 2:
It turns out I had not changed the region information which is why the AMI was not matching. It has now spun an image correctly.
An IAM User only has an Access Key and a Secret Key.
However, if you create temporary credentials using the AWS Security Token Service (STS), then a token is also provided.
For example, using your IAM User credentials to call AssumeRole() to gain privileges from an IAM Role, then you will be given:
Access Key
Secret Key
Access Token
Apparently, the AMI (machine image) corresponding to a particular OS flavor changes from region to region. While I had changed my region, I hadn't changed the AMI. Which is what I was erring with.
Upon changing the AMI for the OS to the one for my new region, it worked
Just started using IntelliJ with AWS and this error pops after using the terraform apply command and the code is just a simple deployment of an EC2 instance.
Error: error configuring Terraform AWS Provider: no valid credential sources for Terraform AWS Provider found.
│
│ Please see https://registry.terraform.io/providers/hashicorp/aws
│ for more information about providing credentials.
│
│ Error: failed to refresh cached credentials, no EC2 IMDS role found, operation error ec2imds: GetMetadata, request send failed, Get "http://169.254.169.2
54/latest/meta-data/iam/security-credentials/": dial tcp 169.254.169.254:80: i/o timeout
│
│
│ with provider["registry.terraform.io/hashicorp/aws"],
│ on main.tf line 1, in provider "aws":
│ 1: provider "aws" {
│
╵
Credentials with AWS Explorer are correct Using an IAM user in Admin group. Terraform is installed IntelliJ plug-ins for Terraform and AWS are installed There is a connection between IntelliJ and AWS
Using Windows 10 Can't use admin operations on Windows I feel like Terraform and AWS cant be connected (as the error says), but I can't understand why.
Any ideas how can I deploy this instance? Any help is appreciated. I am here to answer any questions you may have. I expected to deploy an EC2 instance. I've tried creating a new project, reinstalling IntelliJ, using other IDE like VS Code.
So I had to run:
$ export AWS_ACCESS_KEY_ID=(your access key id)
$ export AWS_SECRET_ACCESS_KEY=(your secret access key)
With my keys in the Ubuntu terminal in IntelliJ and it worked!
Alternatively, you can configure your provider block as follows:
provider "aws" {
region = "aws_region_to_create_resources"
profile = "aws_profile_to_use"
}
or if your aws credentials file is in another path other than the default $HOME/.aws :
provider "aws" {
region = "aws_region_to_create_resources"
shared_credentials_file = "path_to_aws_credentials_file"
profile = "aws_profile_to_use"
}
Specifying a profile has the advantage of allowing you to use different AWS accounts for different environments. You can also use this method to deploy resources in the same terraform module to different accounts or regions by using aliases.
I have a Terraform GitLab runner I've provisioned in my kubernetes cluster via Helm to execute Terraform related CICD pipelines. The runner users a specific service account that has access to a provisioned IAM Role for the runner using IAM Role for Service Accounts. To ensure that the runner is able to obtain the correct role, in my pipeline, I've included aws sts get-caller-identity call in my job and the job successfully returns the role. However, when terraform plan -out=tfplan or terraform apply tfplan is executed, I get the following error:
Error: error configuring S3 Backend: no valid credential sources for
S3 Backend found. │ │ Please see
https://www.terraform.io/docs/language/settings/backends/s3.html │ for
more information about providing credentials. │ │ Error:
NoCredentialProviders: no valid providers in chain. Deprecated. │ For
verbose messaging see aws.Config.CredentialsChainVerboseErrors
This error comes up randomly. It does not occur consistently.
I've considered using "skip_credentials_validation" and "skip_requesting_account_id" as mentioned in this stackoverflow post, but I feel there should be a better way for terraform to detect if the credentials are present for this type of scenario without having to do this type of bypass or actually committing a credentials file into the repository with access key and secret access key to assume a role.
Does anyone know how this can be done such that terraform would pick up the role consistently without hardcoding credentials?
Did you try explicitly initialize terraform with your backend config?
terraform init \
-backend-config="access_key=<your access key>" \
-backend-config="secret_key=<your secret key>"
I've noticed that after upgrading the values.yml file for the GitLab Runner and upgrading the runner to be on the current version (15.2.1) combined with IAM Role for Service Accounts enabled terraform init and plan to run as expected.
Keep in mind I've also updated GitLab server to v15.3 as well such that it is generally in sync with the runner version.
Currently, when I try to run terraform plan or terraform apply, my code hangs for a very long time before eventually throwing this command
Error: error configuring Terraform AWS Provider: error validating provider credentials: error calling
sts:GetCallerIdentity: operation error STS: GetCallerIdentity, exceeded maximum number of attempts, 25,
https response error StatusCode: 0, RequestID: , request send failed, Post
"https://sts.us-east-1a.amazonaws.com/": x509: “Kubernetes Ingress Controller Fake Certificate”
certificate is not trusted
│
│ with module.test.provider["registry.terraform.io/hashicorp/aws"],
│ on asg-launch-configuration/provider.tf line 1, in provider "aws":
│ 1: provider "aws" {
│
This only stared to happen after I believe a previous terraform apply was interrupted with a Control + C. I have deleted all of the terraform state files (I believe) and have even deleted the entire folder where the code was, but the error persists when I try to run other terraform apply commands. I have also went into the aws console and I believe deleted all the items that are provisioned by that terraform code.
Any idea what issue may have occurred?
Edit:
I am using a module, but the provider block is only this:
provider "aws" {
region = var.region
}
Edit 2:
It turns out there was a ec2_instance_profile that had not been deleted. I was able to change the aws region and when running terraform apply it told me that the above was still there, and I was able to delete it using the AWS CLI. Now everything works as expected.
It turns out there was a ec2_instance_profile that had not been deleted. I was able to change the aws region and when running terraform apply it told me that the above was still there, and I was able to delete it using the AWS CLI. Now everything works as expected.
I'm getting that 403 error when terraform, v0.11.11, is applying to the node pool that is managed separately from the gke cluster creation.
Full error:
google_container_node_pool.np: error creating NodePool: googleapi: Error 403: Required "container.clusters.update" permission(s) for "projects//locations/us-central1/clusters/". See https://cloud.google.com/kubernetes-engine/docs/troubleshooting#gke_service_account_deleted for more info., forbidden
I ran through the troubleshooting guide but all it says is to disable and then enable the api again, which I did try, and still am getting that error.
Also using the google and google beta providers both versions 1.20
try to delete the default GKE service account, and re enable the service using the gcloud command which is going to recreate the default service account.
If that's not working for you try to change the roles of the account to "Editor" or create a custom role including the "container.clusters.update" permission.
So the root cause was I was using a custom module but passing credentials down to the custom module in the module block, but it was still using the original credentials that were being used to test the custom module. Once I changed the custom module creds to what they should be it was working.
I too ran into the same problem. Looks like the issue is that the google_container_node_pool resource is trying to update cluster in the project specified in the terraform google provider block rather than the project in which the actual cluster exits. I was able to fix it by specifying the same project provided in the google_container_node_pool which is same as the google_container_cluster resource.
In my case, it was zone issue. I used region instead of zone.
google_container_node_pool.primary_nodes[0]: Creating...
╷
│ Error: error creating NodePool: googleapi: Error 404: Not found: projects/project/locations/europe-west6/clusters/myslodi-cluster., notFound
│
│ with google_container_node_pool.primary_nodes[0],
│ on main.tf line 17, in resource "google_container_node_pool" "primary_nodes":
│ 17: resource "google_container_node_pool" "primary_nodes" {
my env was look like this
region: "europe-west6"
zone: "europe-west6-b"
so had to replace var.region with var.zone
resource "google_container_node_pool" "primary_nodes" {
count = 1
name = "${google_container_cluster.primary.name}-node-pool"
cluster = google_container_cluster.primary.name
node_count = var.node_count
location = var.zone