We're trying to access AWS Services from a private subnet in a VPC using a VPC endpoint or Private Link. We're trying to avoid adding a NAT gateway on the private subnet.
We created/added a VPC Endpoints (i.e. AWS Service for EC2 and S3)
com.amazonaws.us-east-2.ec2
com.amazonaws.us-east-2.s3
But we're not able to access something like com.amazonaws.us-east-2.iam; is there an iam endpoint or is this supported or is there any workaround
for us to use iam via VPC Endpoint on us-east-2?
Here's the error we're getting when we use the latest version of Java AWS SDK to get ec2 instance attached iam role programatically
org.apache.http.conn.ConnectTimeoutException: Connect to
iam.amazonaws.com:443 [iam.amazonaws.com/
Thanks for any information you can provide.
As of May 2022, VPC endpoint for IAM is not supported. You'd have to connect to IAM via internet. Or as a workaround, you can do IAM actions in CloudFormation.
Related
I am trying to create a managed instance with AWS.
I followed this page to create the IAM role:https://docs.aws.amazon.com/systems-manager/latest/userguide/setup-instance-profile.html.
So it is AmazonSSMManagedInstanceCore
This is the code I am using to associate the IAM role with the EC2.
# Make EC2s with AWS Ubuntu 20
instances = subnet.create_instances(ImageId='ami-0885b1f6bd170450c',
InstanceType='m1.small',
MaxCount=num,
MinCount=num,
Monitoring={'Enabled': True},
SubnetId=subnet.subnet_id,
KeyName=key_name,
IamInstanceProfile={
'Arn': 'arn goes here',
},)
wait_until_running(instances)
And when I check in the console the role shows up.
But when I do
aws ssm describe-instance-information
I get
{
"InstanceInformationList": []
}
The ultimate goal here is to be able to send a command to the instance.
Based on the comments.
The instance does not have public IP address, which indicates it likely has no access to SSM service.
For SSM to work on your instance, it must be able to connect to the SSM service. This is usually enabled in one of three ways:
Instance is a public subnet and has direct internet access.
Instance is in a private subnet and uses NAT gateway to access internet.
Your VPC uses VPC interface endpoints for SSM service to connect to the SSM service. This does not require internet access and provides private communication between instance and the SSM service.
when the lambda function is not within vpc then iam able to add a step to emr cluster but if the lambda function is residing inside vpc where emr cluster is present and same private VPC subnet also.
This time iam getting timeout error when iam trying to add a step in emr cluster using boto3 client module "add_job_flow_steps"
"errorMessage": "2020-05-14T02:48:46.771Z ad979ac2-ff26-476a-b301-23797caeeaa9 Task timed out after 123.10 seconds".
Do i need to add a VPC Endpoint for me to communicate between AWS services within same VPC Subnet or is there any other way which i could communicate?
when the lambda function is not within vpc then iam able to add a step to emr cluster
This works because lambda not in vpc, can access internet. Subsequently, you can connect to public endpoint of AWS services, such as EMR.
if the lambda function is residing inside vpc where emr cluster is present and same private VPC subnet also.
This does not work, because lambda in VPC does not have internet access:
If your function needs internet access, use NAT. Connecting a function to a public subnet does not give it internet access or a public IP address.
To enable your lambda access the EMR service you need to use either NAT gateway or VPC interface endpoint as shown in the following link:
Connect to Amazon EMR Using an Interface VPC Endpoint
Please not that lambda in VPC also requires modified execution role.
I am trying to call my private API gateway from a lambda function in another AWS account. But i am getting timeout while making the call (Actually the http call is just stuck and hits my client side timeout).
In the AWS account which hosts the private AWS account i did the following
* Created my private API gateway and lambda behind the API
Create resource policy and provided access to the VPC endpoint of the other AWS caller (caller)
create VPC endpoint with private DNS enabled.
Attached policy to VPC endpoint with full access, security group with access to all traffic.
In the second AWS account (caller) i did the following
* Create VPC and VPC endpoint for API gateway with full access.
created lambda in the VPC with security group with access to all traffic (inbound and outbound)
In lambda I am using the public DNS of the VPC endpoint(Account 1) and used header 'x-apigw-api-id'
I already tried the debugging steps mentioned in this page https://aws.amazon.com/premiumsupport/knowledge-center/api-gateway-private-endpoint-connection/.
Also tried whitelisting based on the VPC ID instead of VPC endpoint ID.
Any suggestions for resolving this issue.
Just found the isssue. I was using the VPC endpoint of the other aws account while making a call. When i used the VPC endpoint of the same account it worked.
Current Scenario
Currently, we are having our AWS API gateway of type PRIVATE in EU-central-1. if we try to configure VPC endpoint from region in ap-southeast-1
we are getting error like
is not valid vpc endpoint id
but when we try to configure it from same region it works well.
not sure how to resolve this error
To connect to one service from VPC A to another in VPC B you can use followin Amazon VPC-to-Amazon VPC Connectivity Options - https://docs.aws.amazon.com/whitepapers/latest/aws-vpc-connectivity-options/amazon-vpc-to-amazon-vpc-connectivity-options.html
Each one has its own advantages and limitations.
AWS private linkis one of these options. Attaching one image from offical doc here https://docs.aws.amazon.com/whitepapers/latest/aws-vpc-connectivity-options/aws-privatelink.html
Here is the link for VPC endpoint and supported service - https://docs.aws.amazon.com/vpc/latest/userguide/vpc-endpoints.html
AWS Security Token Service (STS) can only be accessed from the Internet, correct me if I am wrong.
My customer would like to access DynamoDB from an EC2 instance in the same AWS account.
The EC2 instance is in a private subnet without internet access. Does it mean EC2 instance cannot leverage STS? Is there a workaround for this? We try to avoid using permanent access key and secret key to access resources in AWS.
Not only STS, you need internet access to use any AWS service. For STS, the endpoint https://sts.amazonaws.com should be accessible. There are endpoints for each AWS service. The only service that doesn't need internet access is the metadata server http://169.254.169.254
If your security policy permits, you can add an internet route to your subnet through a NAT. You can let the instance access only certain IP address by setting the outbound rule in the security group.
Start from 2020 Dec onwards, you can use sts VPC endpoint in private subnet which doesn't have outbound internet access.