This is how my CodeDeploy status looks like:
This is first time I'm trying to set this up. I created EC2 and added following policies to attached IAM role:
and edited Trust relationships like this:
also I installed code deploy agent on EC2 instance.
this is my appspec.yml
version: 0.0
os: linux
files:
- source: .
destination: /home/ubuntu
hooks:
ApplicationStop:
- location: scripts/stop_server.sh
timeout: 5
runas: root
stop_server.sh is just an empty file
any ideas?
The most likely problem you're facing is that the agent either isn't installed or the instance doesn't have sufficient permissions. When there are no events started on the instance for the deployment, it means that CodeDeploy couldn't talk to the host for some reasons.
Here's the steps I would take:
Confirm that you installed the CodeDeploy agent
Confirm that you've created the IAM service role
Confirm that you have the IAM Instance Profile and that it's associated with the instance
Check that you can reach the CodeDeploy commands endpoint in your region from the box. i.e. ping codedeploy.us-east-1.amazonaws.com Otherwise, your networking setup might be too restrictive.
Look at the logs on the host to see what's going on
Related
I have a node app want to upload it on EB.
after running eb init and create the application, tried to eb create I got this
WARNING: Insufficient IAM privileges. Unable to determine if instance profile 'aws-elasticbeanstalk-ec2-role' exists, assuming that it exists.
Creating application version archive "app-230218_020058149734".
Uploading testEBUdg/app-230218_020058149734.zip to S3. This may take a while.
Upload Complete.
Environment details for: testEBUdg-dev
Application name: testEBUdg
Region: us-east-1
Deployed Version: app-230218_020058149734
Environment ID: e-spw6eyzmpe
Platform: arn:aws:elasticbeanstalk:us-east-1::platform/Node.js 14 running on 64bit Amazon Linux 2/5.6.4
Tier: WebServer-Standard-1.0
CNAME: testEBUdg-dev.us-east-1.elasticbeanstalk.com
Updated: 2023-02-18 00:01:36.993000+00:00
Printing Status:
2023-02-18 00:01:35 INFO createEnvironment is starting.
2023-02-18 00:01:37 INFO Using elasticbeanstalk-us-east-1-xxxxxxxxxx as Amazon S3 storage bucket for environment data.
2023-02-18 00:01:38 ERROR Unable to assign role. Please verify that you have permission to pass this role: aws-elasticbeanstalk-service-role.
2023-02-18 00:01:38 ERROR Failed to launch environment.
ERROR: ServiceError - Failed to launch environment.
Permissions policies
It looks like the aws credentials were not configured, so you need to set them up using aws configure and the user need to have the appropriate permission and then perform eb init.
I've spent the better half of the day trying to setup CodeDeploy, CodePipeline, S3 and EC2.
Codepipeline will successfully:
Pick up detected changes in GitHub
Push the ZIP file up to S3
Trigger CodeDeploy to begin deployment
Also
EC2 has list and read access to S3
S3 allows all actions from EC2
I've followed this outdated guide mostly: https://cloudacademy.com/blog/how-to-deploy-application-code-from-s3-using-aws-codedeploy/
appspec.yml
version: 0.0
os: linux
files:
- source: /
destination: /var/www
hooks:
AfterInstall:
- location: hooks/after-install.sh
runas: root
I'm rather new to AWS and can't for my life find where the logs are telling me what's going on, nor do I get any error message that points me anywhere, so I've literally been shooting blind double checking everything all day and trying again and this is taunting me now:
Any help even if it's pointing me towards where I can actually find the error message would be tremendously appreciated, thanks for your time
This generally occurs for one of the following 3 reasons:
The CodeDeploy agent needs to be installed and running on the target instance.
No access to CodeDeploy and S3 service. Either ensure you are:
Running an instance in a public subnet with an internet gateway
Running an instance in a private subnet with a NAT gateway/NAT instance
The IAM permissions for the IAM role of the instance are not sufficient, for sufficient permissions attach the AWSCodeDeployRole policy.
As you have said your IAM role permissions are fine you are left with one of the other 2 scenarios.
Once these are working you can generally see the logs within the /var/log/aws/codedeploy-agent location.
I'm using AWS CodeDeploy to deploy my project (triggered by CodePipeline) to an autoscaling group (EC2 instances behind an ALB). This is my appSpec file:
version: 0.0
os: linux
files:
- source: /
destination: /var/www/html/test-deploy
overwrite: true
permissions:
- object: /var/www/html/test-deploy/codedeploy
pattern: "*.sh"
owner: root
group: root
mode: 755
type:
- file
hooks:
BeforeInstall:
- location: codedeploy/before_install.sh
timeout: 180
AfterInstall:
- location: codedeploy/after_install.sh
runas: centos
timeout: 180
The files get deployed successfully to the EC2 instance, but for some reason after the "BeforeAllowTraffic" nothing happens, like I waited 15 min and the next step was still at "pending".
The two .sh files do nothing fancy (and codedeploy passed those steps so I don't think that's the problem).
Can anyone point me to a direction? I don't get any error messages, so I don't even know how to debug it.
Thanks
I have got the same issue, after investigation, I found that my target group was "unhealthy". I just add the health check path/file i.e "/rorbots.txt" and rebooted the Ec2 Server and its fixed the problem.
We also had an unhealthy target instance. The problem was hosting two applications on the same instance, where one (application A) was responsible for health checks and talking to the load balancer, and the other one (application B without any open network ports) was being deployed. One instance was always getting stuck in AllowTraffic during app B deployments. I found the root cause when I looked at the target group for app A and saw that same instance in the "unhealthy" status, so of course deploying app B wasn't going to fix that. After I re-deployed app A and restored the instance back to health, app B deployments were able to progress.
Check your logs on your target group instances. It may be caused by one of the following:
the application startup command did not finish successfully
the application is not running due to an error
your target group's health check is NOT configured with the endpoint you expect
your application is NOT responding at the endpoint you expect
I am using Cloud Custodian and policies written in YAML for automating tasks related with AWS. For now, I am trying to stop a running instance. Following is the policy, custodian.yml, that I am using:
policies:
- name: my-first-policy
resource: ec2
filters:
- "tag:test": present
actions:
- stop
The instance is tagged with tag test. And the location, where the instance is running is us-east-2b. I am using the following command to use the policy:
AWS_DEFAULT_REGION=us-east-2b AWS_ACCESS_KEY_ID="the_value_of_the_key_ID" AWS_SECRET_KEY="the_value_of_secret_key" custodian run --output-dir=. custodian.yml
The problem is that there are no errors/logs that are generated but it is unable to locate the instance and throws the following warning:
2017-06-17 08:28:17,926: c7n.policies:WARNING policy:my-first-policy resources:ec2 not available in region:us-east-2b
2017-06-17 08:28:17,927: custodian.commands:WARNING Empty policy file(s). Nothing to do.
I am using the guidelines on working with Cloud Custodian from the following links:
http://www.capitalone.io/cloud-custodian/docs/quickstart/index.html#write-your-first-policy
http://www.capitalone.io/cloud-custodian/docs/quickstart/index.html#write-your-first-policy
Can somebody help?
Modify:
AWS_DEFAULT_REGION=us-east-2b
to:
AWS_DEFAULT_REGION=us-east-2
us-east-2 is a region (US Ohio). us-east-2b is an availability zone.
I am trying to use the Amazon EC2 Run Command feature, and basically it says it can't find any instances.
I read all the documentation and followed all the steps that I could find on this relatively new feature, and I cant get it to work for the life of me.
Here is the info:
I go to "EC2 -> Commands -> Command History -> Run A Command"
I click radio box for the "AWS-RunShellScript" command document
I click the "Select Instances" drop down button, and it says "No instances found in this region" as shown in Figure 1 below.
I click the "Where are my instances?" hyperlink, which brings me to the AWS documentation show here:"Troubleshooting SSM Run Command"
The first suggestion for troubleshooting is to make sure that the prerequisites have been met, and provides another hyperlink shown here: "SSM Run Command Prerequisites"
Prerequisites:
Supported OS - Windows 2012 R2 - CHECK
Latest Agent Version - 3.17.1032 - CHECK (Shown In Figure 2)
Access to SSM Run Command - Assign EC2 Instance Role and IAM User Role - CHECK (Shown In Figures 3 and 4)
Internet Access - Outbound Internet Access - CHECK
I followed the AWS documentation for creating an Amazon EC2 Instance role for EC2 Run Command Access, and also to create an IAM User with proper Run Command Access. The documentation is shown here: Delegating Access to SSM Run Command
I used the Amazon CLI from my local machine to run the following command also shown in troubleshooting documentation:
aws ssm describe-instance-information --instance-information-filter-list key=InstanceIds,valueSet=instance-ID
The command returns no information:
{
"InstanceInformationList": []
}
UPDATE 1:
I did find the following errors and warnings in the following places, and have spent the last two hours trying to troubleshoot. I uinstalled and reinstalled the Ec2Config Service. I checked all the Ec2Config files. I Checked the 169.254 addresses, and the meta-data and dynamic data exists, and appears to be correct. Not sure what else to try here.
C:\Program Files\Amazon\Ec2ConfigService\Logs\Ec2ConfigLog - Error/Warning
2016-06-22T23:44:12.663Z: Warning: Unable to Publish to WMI. | System.Management.Instrumentation.WmiProviderInstallationException: Exception of type 'System.Management.Instrumentation.WMIInfraException' was thrown.
at System.Management.Instrumentation.InstrumentationManager.Publish(Object value)
2016-06-22T23:44:16.263Z: Failed to fetch instance metadata http://169.254.169.254/latest/user-data with exception The remote server returned an error: (404) Not Found.
2016-06-22T23:44:16.263Z: Failed to get metadata/user-data The remote server returned an error: (404) Not Found.
Windows Event Viewer Error
2016-06-22 23:46:59,758 [_Worker-2] ERROR [aws:getDocument] - Failed to update instance information., RequestId=9cb8f2dd-38d3-11e6-bc83-19c0650ffecc,ErrorCode=AccessDeniedException,ErrorType=Unknown,StatusCode=BadRequest,Message=Caller
instance identity does not match the given instanceId
UPDATE 2:
Per #praetorian1 's linked stackoverflow article I updated the Ec2Config Services "config.xml" file to enable the "Ec2HandleUserData" setting, rebooted, and still no change.
Per #Kai 's suggestion I also made sure that the "role" attached to the instance
matched the "AmazonEC2RoleforSSM" policy, and specifically permitted "ssm:UpdateInstanceInformation". It did.
I also looked under the AWS EC2 Management Console, at the "System Log" file for the specific instance, which did not contain any errors, and towards the end said that SSM Config: status:Active, iam:Yes. Also noteworthy, it contained: Info EC2Config configuration: status:2; region:us-east-1; iam:1; authz:1
2016/06/23 15:01:29Z: EC2ConfigMonitorState: 0
2016/06/23 15:01:29Z: Windows sysprep configuration complete.
2016/06/23 15:01:32Z: AMI Origin Version: 2016.01.13
2016/06/23 15:01:32Z: AMI Origin Name: Windows_Server-2012-R2_RTM-English-64Bit-SQL_2014_SP1_Web
2016/06/23 15:01:32Z: OS: Microsoft Windows NT 6.3.9600
2016/06/23 15:01:32Z: OsVersion: 6.3
2016/06/23 15:01:32Z: OsProductName: Windows Server 2012 R2 Standard
2016/06/23 15:01:32Z: OsBuildLabEx: 9600.18202.amd64fre.winblue_ltsb.160119-0600
2016/06/23 15:01:32Z: Language: en-US
2016/06/23 15:01:32Z: TimeZone: Eastern Standard Time
2016/06/23 15:01:32Z: Offset: UTC -04:00:00
2016/06/23 15:01:32Z: EC2 Agent: Ec2Config service v3.17.1032
2016/06/23 15:01:32Z: Driver: AWS PV Storage Host Adapter v7.3.2.0
2016/06/23 15:01:32Z: Driver: Intel(R) 82599 Virtual Function v1.0.15.3
2016/06/23 15:01:34Z: Message: Waiting for meta-data accessibility...
2016/06/23 15:01:34Z: Message: Meta-data is now available.
2016/06/23 15:01:37Z: Message: Windows is Ready to use
2016/06/23 15:01:40Z: Amazon EC2 Simple Systems Manager (SSM) is an optional service for custom configuration of instances.
2016/06/23 15:01:40Z: Info EC2Config configuration: status:2; region:us-east-1; iam:1; authz:1
2016/06/23 15:01:40Z: SSM Config: status:Active; iam:Yes
Figure 1:
Figure 2:
Figure 4:
Try checking the application logs in windows on the instance. Might be having issues talking to the SSM service for some reason.
As praetorian1 mentioned, Windows Event Viewer is the place to look for SSM - EC2 Run Command related log messages.
The message you posted indicates that the EC2 instance does not have required permission to call ssm:UpdateInstanceInformation API. Please double check that RunCommandInstance role has AmazonEC2RoleforSSM policy attached. (After attaching the policy, please restart EC2Config service or wait up to 15 min for EC2Config to start reporting instance information.)
For the IAM User in Fig. 4, we do not need policies other than AmazonSSMFullAccess for us to call SSM APIs with awscli.
To dive deeper:
EC2 Role and IAM Policy for the EC2 Instance
SSM on Windows requires an IAM EC2 Role attached to the EC2 instance at launch. Required permission for that Role is provided by an Amazon-managed IAM policy AmazonEC2RoleforSSM.
IAM Policy for IAM User
To make API calls to SSM service with awscli, an IAM user has to be setup with SSM permissions. For testing, Amazon provides a managed IAM policy AmazonSSMFullAccess. With the credentials of this IAM user, we will be able to make API call to describe instance information and also send command to the instance.
DescribeInstanceInformation API
Once the EC2 instance is setup with required permission and EC2Config starts reporting instance information back to SSM, we will be able to use DescribeInstanceInformation API to get a list of EC2 instances that are ready for SSM - EC2 Run Command.