I accidentally deleted all the default subnets in aws,I want to recreate default subnets。I make CLI command: "aws ec2 create-default-subnet --availability-zone us-west-2a"
,but always get the error message
"An error occurred (DefaultSubnetAlreadyExistsInAvailabilityZone) when calling the CreateDefaultSubnet operation: 'subnet-015c449cab525d947' is already the default subnet in us-west-2d."
how to solve this problem?
There is only one default subnet can exist in each availability zone, seems you already have yours on us-west-2a, login to you AWS account search for VPC > Subnets and delete what you have there, then you can re-create it with this command:
ws ec2 create-default-subnet --availability-zone us-west-2a
check AWS document fore more info:
https://aws.amazon.com/premiumsupport/knowledge-center/recreate-default-vpc/
Related
NOTE: This is about ELBv2 ALBs, not legacy load balancers, ELBv1, but my humble rep won't let me improve the tagging.
I'm attempting to create an AWS ECS Fargate service. I have created Application Load Balancers one for each container in the Task, and since create-service now supports multiple loadbalancers according to the docs - we should be all good, right? Since it's an ALB, I specify targetGroupArn rather than loadBalancerName, and since ECS has a service linked role created by default, AWSServiceRoleForECS I ought to be able to map target groups and go ahead and create the service, right? Not like it used to be when you had to create ecsServiceRole manually from what the internet tells me.
my command is
aws ecs create-service --region $REGION --cluster $CLUSTER --service-name production-svc --task-definition $TASK_ARN --desired-count 2 --launch-type "FARGATE" --network-configuration "awsvpcConfiguration={subnets=[${SUBNET_1}, ${SUBNET_2}],securityGroups=[${SECURITYGROUP_ID}]}" --load-balancers=tgt-a,containerName=a,containerPort=5000,targetGroupArn=tgt-b,containerName=b,containerPort=6000
And the error I get is
An error occurred (InvalidParameterException) when calling the CreateService operation: Unable to assume role and validate the specified targetGroupArn. Please verify that the ECS service role being passed has the proper permissions.
Now, looking though the internet it could either be that my load balancers don't exist (you'll have to trust me, they do - I supply target group ARNs, and those target groups exist as confirmed with aws elbv2 cli and are mapped to valid active application load balancers that all live in the same region as the cluster), or that the service mapped role (the one AWS created for me earlier) won't have enough rights to assume to verify the targetGroupArn.
Do I really have to add rights to the automatic ECS service mapped role? If so - which rights?
"elasticloadbalancing:DeregisterInstancesFromLoadBalancer",
"elasticloadbalancing:DeregisterTargets",
"elasticloadbalancing:Describe*",
"elasticloadbalancing:RegisterInstancesWithLoadBalancer",
"elasticloadbalancing:RegisterTargets",
My Automatic role (that has AmazonECSServiceRolePolicy) already has all of those? Which ones are missing?
I was having the same issue, and can confirm what Ali says:
Turns out that if you are creating the service via CLI with aws ecs create-service you need the full arn for the loadbalancer.
The documentation confirms that:
https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ecs/create-service.html
It's a bit confusing because in the CloudFormation template you can just use the "short" name. Also the error message is a bit misleading.
Hope this helps.
What is the suggested way to pass IAM role to a Docker container on EC2?
I have a mlflow project running in a docker environment on EC2.
The python code needs to read and write from S3.
The following is the error (sometimes other types of error also indicating no s3 access from the container, for example s3 resourece not found error)
botocore.exceptions.ProfileNotFound: The config profile (xxx) could not be found
To solve the s3 access issue, I already created an IAM role that allows access to the bucket.
What are the best ways to give this role to the Docker container?
Is it possible to define the role name in Dockerfile?
Thanks
If you are using ECS to run containers on your EC2 instances you can set the taskRoleArn in the Task Definition. If you are running docker on EC2 without ECS you could give the instance the role and use --net host and the container should use the ec2 instance's role.
I'm using docker on EC2 and I just created an Instance Profile.
If you use Console:
Instances -> CHOOSE YOUR INSTANCE -> Actions -> Instance Settings -> Attach/Replace IAM Role
If you use CloudFormation:
EC2Instance:
Type: AWS::EC2::Instance
Properties:
IamInstanceProfile: !Ref EC2InstanceIAMInstanceProfile
...
I've created a node.js application which connects to DynamoDB. Everything is working fine locally Now I'm trying to setup on AWS servers.
First I've created DynamoDB tables from AWS DynamoDB console. It is working fine.
I've created a new role from IAM management console > Roles to access DynamoDB. And attached that role to EC2 instance.
But when I fire any aws dynamodb cli command, it gave me error to mention the region.
So I went to IAM management console > Users, and created an access key to my admin type user.
Now I'm login to EC2 CLI using ec2-user and aws configure with previously generated access key.
AWS Access Key ID [None]: ACCESS KEY
AWS Secret Access Key [None]: SECRET
Default region name [None]: us-east-1
Default output format [None]: json
But when I use following command aws dynamodb list-tables. It gives no output, no error.
As I commented, The main issue was outbound rules for attached security group. Here are the necessary things to do
Set a security group outbound rule to HTTPS
Setup Credentials
Create Access Key from IAM management console > Users.
SSH to EC2 instance.
Configure the credentials to EC2 instance using aws configure command or directly modify ~/.aws/credentials file.
Attach Role
Create Role from IAM management console > Roles. Select the role which is necessary to perform operation on AWS service. Eg AmazonDynamoDBFullAccess
Open VPC console and select the EC2 instance.
Attach the role from Actions menu
It is good, though optional, to create VPC endpoint. If you face UnauthorizedOperation error while creating endpoint, assign AmazonEC2FullAccess permission to the user from IAM console. Remove it later if you don't need it.
To use the AWS service from your application, find the relevant endpoint from this list.
It sounds like you are having problems connecting to DynamoDB because of the way you have configured your VPC.
There are some options but if you would prefer to keep your VPC isolated from the internet then you could enable VPC endpoints for DynamoDB. That way you can access DynamoDB from within your VPC without those connections going over the public internet.
There is a step-by-step guide for how to do that here: https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/vpc-endpoints-dynamodb.html
Essentially, it involves the following steps:
you have to get the VPC id for the VPC where your EC2 instance is located
create a VPC endpoint for DynamoDB, specifying the VPC id and the regional dynamodb service name:
aws ec2 create-vpc-endpoint --service-name com.amazonaws.<region>.dynamodb --vpc-id <yourvpcid>
I am unable to delete Private Hosted Zone from console and CLI.
Please check below screen shot
Its throwing following error
The resource hostedzone/Z346QOK8DECBDU can only be managed through servicediscovery.amazonaws.com (arn:aws:servicediscovery:us-east-1:757712384777:namespace/ns-oekfhwgvesmkdb4i)
Private zone has following records
I have tried deleting using AWS CLI commands as well
aws servicediscovery list-services
aws servicediscovery delete-service --id=ID-FROM-LIST
aws servicediscovery delete-namespace --id=NS-LIST
This did not work. I got following error
An error occurred (NamespaceNotFound) when calling the DeleteNamespace operation: NS-LIST
An error occurred (ServiceNotFound) when calling the DeleteService operation: ID-FROM-LIST
Please let me know if there is any other way.
Try to delete the AWS ECS service, which is using this hosted zone from AWS console, and then if you have any service discovery resources (like namespace), then delete those using below commands:
Use below command to list services in specific region:
aws servicediscovery list-services --region <region_name>
If no services associated, then try to find the namespaces:
aws servicediscovery list-namespaces --region <region_name>
Then you can delete the namespace as below:
aws servicediscovery delete-namespace --id <service_discovery_namespace_id> --region <region_name>
From output, It seems you don't have any services listed, but still try with --region option.
Your namespace_id seems to be incorrectly passed. Its arn is already shown in first error message.
To delete the private hosted zone:
To delete a private hosted zone that Amazon ECS created when you created a service using service discovery, delete the Amazon ECS services that are using the namespace, and delete the namespace
Ref:
https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/hosted-zone-private-deleting.html
https://docs.aws.amazon.com/AmazonECS/latest/developerguide/delete-service.html
It is very simple if you have access to console
Search for “AWS cloud map” in aws console – > you can see than namespace – go inside namespace -> delete services -> go back and delete namespace -> check in your route53 console, hosted zone wont be there
I need to create a read replica in a VPC of an RDS instance outside of the VPC
The instructions read ( http://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_ReadRepl.html )-
To create a read replica from a source MySQL DB instance:
In the Destination DB Subnet Group box, specify a DB subnet group associated with a VPC if you want the read replica to be created in that VPC. Leave the box empty if you want the read replica to be created outside of any VPC. The VPC and DB subnet group must exist in the destination region. Within a given region, all read replicas created from the same source DB instance must be either:
Unfortunately this box doesn't show up in the gui
Using the CLI I get the following message:
A client error (DBSubnetGroupNotAllowedFault) occurred when calling the CreateDBInstanceReadReplica operation: DbSubnetGroupName should not be specified for read replicas that are created in the same region as the master
Is there something else I should be doing?
Can you post your CLI commands as well? It looks like you are making the CreateDBInstanceReplica request from the source region itself. You should be making the request from the target region.
For example, if you have an instance in us-east-1 and you want a new replica in us-west-2, then:
aws rds create-db-instance-read-replica \
--db-instance-identifier DBInstanceIdentifier \
--region us-west-2 \
--source-db-instance-identifier arn:aws:rds:us-east-1:123456789012:db:my-mysql-instance \
--source-region us-east-1 \
--kms-key-id my-us-east-1-key
Note that the CLI request is explicitly made for us-west-2, but source instance is us-east-1.