I am trying to launch an instance with AWS deep learning AMI with an elastic inference accelerator. I have set the role for the policy for the IAM to connect as described in the documentation "elastic-inference:Connect". But When i try launch the instance i get the error. Initiating launches failure invalid attachment reservation 0 for accelerator type : eia1.medium
I tried adding further permission. I added the following permissions.
AmazonEC2FullAccess
AmazonEC2ContainerRegistryFullAccess
GlobalAcceleratorFullAccess
trial_policy.json (contains the json which is mentioned in the documentation for adding "elastic-inference:Connect")
AmazonDevOpsGuruFullAccess
But is still get the following error.
Launch Failed Invalid attachment reservation 0 for accelerator type :
eia1.medium.
Verifying entitlement to product Successful
Initiating launches Failure
Related
While creating AWS EMR cluster, always i get the issue- Service role EMR_DefaultRole has insufficient EC2 permissions
And the cluster terminates automatically, have even done steps as per aws documentation of recreating emr specific roles, but no progress please guide how to resolve the issue- Service role EMR_DefaultRole has insufficient EC2 permissions
EMR needs two roles to start the cluster 1) EC2 Instance profile role 2)EMR Service role. The service role should have enough permissions to provision new resources to start the cluster, EC2 instances, their network etc. There could be many reasons for this common error:
Verify the resources and their actions. Refer https://docs.aws.amazon.com/emr/latest/ManagementGuide/emr-iam-role.html.
Check if you are passing the tag that signifies if cluster needs to use emr managed policy.
{
"Key": "for-use-with-amazon-emr-managed-policies",
"Value": "true"
}
At last try to find out the exact reason from cloud trail. Go to aws>cloud trail. From the event history configuration enable the error code so that you can see the exact error. If you find the error code something like 'You are not authorized to perform this operation. Encoded authorization failure message'. Then open the event history details, pick up the encrypted error message and decrypt using aws cli
aws sts decode-authorization-message message. This will show you the complete role details, event, resources, action. Compare it with AWS IAM permissions and you can find out the missing permission or parameter that you need to pass while creating the job flow.
I'm trying to deploy Metabase on AWS Beanstalk following the official documentation.
Unfortunately, I'm getting the following errors every time:
Stack named 'awseb-e-mbmm95mkdq-stack' aborted operation. Current state: 'CREATE_FAILED' Reason: The following resource(s) failed to create: [AWSEBRDSDBSecurityGroup].
Creating RDS database security group named: awseb-e-mbmm95mkdq-stack-awsebrdsdbsecuritygroup-lixrbjq6lh5x failed Reason: Either the resource does not exist, or you do not have the required permissions.
Any ideas how to fix it?
Here's how I was able to fix this issue. I created an RDS db instance from the RDS console, then created a snapshot of that instance. Enter Elastic Beanstalk console, then from Configuration modify Database and use the snapshot created. Remember also to add environment properties in the Configuration / Software console.
I am using boto3 to control my EC2 instances on AWS from a python environment, using ec2 and ssm services. I have created an IAM account, that has access to AmazonSSMFullAccess and AmazonEC2FullAccess policies.
ec2 = boto3.client(
'ec2',
region_name='eu-west-1',
aws_access_key_id='…',
aws_secret_access_key='…/…+…'
)
ssm = boto3.client(
'ssm',
region_name='eu-west-1',
aws_access_key_id='…',
aws_secret_access_key='…/…+…'
)
I ran:
ec2.describe_instances()['Reservations']
Witch returned a list of all my instances.
But when I run:
ssm.describe_instance_information()
I get an empty list, though I have at least one instance running on AWS Linux AMI (ami-ca0135b3), and six others on recent Ubuntu AMIs. They are all in eu-west-1 (Ireland).
They should have SSM Agent preinstalled : (https://docs.aws.amazon.com/systems-manager/latest/userguide/sysman-install-ssm-agent.html)
I sshed into the AWS Linux instance, and tried to get the logs for ssm using:
sudo tail -f /var/log/amazon/ssm/amazon-ssm-agent.log
But nothing happens there when I run my python code. A sequence of messages gets displayed from time to time :
HealthCheck reporting agent health.
error when calling AWS APIs. error details - NoCredentialProviders: no valid providers in chain. Deprecated.
I also tried running a command through the web interface, selected ' AWS-RunRemoteScript' but no instance is shown below.
My goal is to run:
ssm.send_command(
DocumentName="AWS-RunShellScript",
Parameters={'commands': [command]},
InstanceIds=[instance_id],
)
But it gives me the following error, probably due to the previous problem.
botocore.errorfactory.InvalidInstanceId: An error occurred (InvalidInstanceId) when calling the SendCommand operation
The agent is pre-installed, but the instance (not just your IAM user) still needs the proper role to communicate with the systems manager. Particularly this step of Configuring Access to Systems Manager.
By default, Systems Manager doesn't have permission to perform actions
on your instances. You must grant access by using an IAM instance
profile. An instance profile is a container that passes IAM role
information to an Amazon EC2 instance at launch.
You should review the whole configuration guide and make sure you have configured all required roles appropriately.
Below are the steps that I performed for setup :
Created a new windows server 2012 EC2 instance and then connected
with it using the remote desktop connection.
Installed EC2 config service which automatically installs
AmazonSSMAgent service.
Both EC2 and SSM services are running and in error logs, it is throwing some 'no chain provider exception' which is fine because I have not provided aws credentials yet.
Created a new IAM user and give him administrative policy access and
created three environment variables providing access_key,
secret_access_key and region_id.
Then I restarted AmazonSSMAgent service, then the exception changed to below exception:
status code: 400, request id: 400b4c75-eae2-11e7-a120-d33083d55d1f 2017-12-27 08:45:13 ERROR [HandleAwsError # awserr.go.48] [instanceID=i-084646fb32d8a7b6d] [MessagingDeliveryService] error when calling AWS APIs. error details - GetMessages Error: AuthorizationFailureException:
Please suggest what i am doing wrong or any steps that i have missed or any other way to do this.
When I try to launch an Elastic Beanstalk environment from the command line, I get this error during the process:
Environment health has transitioned from Pending to Warning. Access
denied while accessing Auto Scaling and Elastic Load Balancing using
role "arn:aws:iam::XXXXXXXXXX:role/aws-elasticbeanstalk-service-role".
Verify the role policy.
When I launch it from the console, I do not get this warning. I have tried to replicate the same AWS console configuration from the CLI , but I still get this error.
Any clue what's going on?
If anyone is still getting a similar error and is still unsure how to solve it
Navigate to IAM in the AWS Console.
Navigate to the aws-elasticbeanstalk-service-role (under Access Management > Roles).
Attach the following policies:
AutoScalingFullAccess
ElasticLoadBalancingFullAccess
I then rebuilt the environment, no more errors!
The following article helped me understand this better: https://docs.aws.amazon.com/elasticbeanstalk/latest/dg/concepts-roles-service.html
You can go to your IAM console. You will see the "aws-elasticbeanstalk-service-role", Under the permission tab, you can grant the specific you want to give the policy on your behalf. Refresh and you should have "Ok". Make sure the permission you grant the role can manage this " Auto Scaling and Elastic Load Balancing using role"
Elastic Beanstalk now uses a Service Role to call other AWS services on your behalf. The IAM role is created in your account and you give permissions to launch
Service role is optional but recommended for new environments.
Especially for enhanced health monitoring (which is what your using based on the error message), service role is mandatory. A misconfigured service role can lead to this error message.
The console experience makes it very easy for you to create/use the role with the correct permissions. This is because you just need to select the correct role from the dropdown (if the role already exists) when using the create environment wizard.
When using the CLI you need to pass the service role option setting. (namespace: aws:elasticbeanstalk:environment, option_name: ServiceRole). You can find the required permissions for a role configured in this documentation.
There are some more details about service role in my previous stack overflow answer here.
If anyone can not solve the error whit the previous actions what I had to do is:
Add to aws-elasticbeanstalk-service-role the following policies AutoScalingFullAccess | ElasticLoadBalancingFullAccess
Not re-start but build the environment again
(after a while it kept launching the error)
Then I added:
AdministratorAccess-AWSElasticBeanstalk (again to aws-elasticbeanstalk-service-role)
Re-build the environment again
It is working at the moment.