I've successfully created an EKS cluster and some other resources via a terraform script. However, I am unable to successfully complete the terraform destroy. I get the following error upon deletion of EKS cluster:
Error: error deleting EKS Cluster (cluster-name): AccessDeniedException:
status code: 403, request id: request-uuid
Any ideas?
The role I'm using needs to allow the eks:DeleteCluster operation in its policy.
Related
I'm trying to create ECS Fargate deployment using Cloudformation script, but the script fails during creation of ECS Cluster with error saying that unable to assume service role. I'm not able to figure out what I'm missing in the script, I have tried many ways none of them seem to be working.
Here is the link to cloud formation script as I'm not able to post it here due to character limitation.
ECS Cloudformation script
the error where the resource creation fails.
Resource handler returned message: "Invalid request provided: CreateCluster Invalid Request: Unable to assume the service linked role. Please verify that the ECS service linked role exists. (Service: AmazonECS; Status Code: 400; Error Code: InvalidParameterException; Request ID: e08ab312-4bd8-4c21-852f-ae5d49cc5932; Proxy: null)" (RequestToken: a686f226-e1d3-7b4c-13f1-66fa0a516c51, HandlerErrorCode: InvalidRequest
I'm able to get it working if I create an ECS cluster from aws console, as it creates a service liked role. But I want to work without creating the cluster manually from Console, enerything building up from Cloudformation. I tried looking over aws docs and did dig up Internet but couldn't get it working.Can anyone please help me out.
I was installing openshift 4.4.9 on my AWS Cluster using Installer Provisioned Infrastructure (IPI), I wasn't successful to spin up my openshift cluster on AWS. Because of below error.
INFO Creating infrastructure resources...
ERROR
ERROR Error: Error creating IAM instance profile ocp4-925gm-bootstrap-
profile: EntityAlreadyExists:
Instance Profile ocp4-925gm-bootstrap-profile already exists.
ERROR status code: 409, request id: b6918967-774c-44c1-8b92-02ac7388f87c
ERROR
ERROR on ../../../tmp/openshift-install-584826335/bootstrap/main.tf line 46, in resource
"aws_iam_instance_profile" "bootstrap":
ERROR 46: resource "aws_iam_instance_profile" "bootstrap" {
ERROR Error: Error creating IAM instance profile ocp4-925gm-worker-profile: EntityAlreadyExists:
Instance Profile ocp4-925gm-worker-profile already exists.
ERROR status code: 409, request id: 3b5d2b9c-28fe-4c95-b622-7a80af45dfb6
ERROR
ERROR on ../../../tmp/openshift-install-584826335/iam/main.tf line 5, in resource
"aws_iam_instance_profile" "worker":
ERROR 5: resource "aws_iam_instance_profile" "worker" {
ERROR Error: Error creating IAM instance profile ocp4-925gm-master-profile: EntityAlreadyExists:
Instance Profile ocp4-925gm-master-profile already exists.
ERROR status code: 409, request id: 072d86e1-3508-4d59-a6ab-2ed647251056
ERROR
ERROR on ../../../tmp/openshift-install-584826335/master/main.tf line 9, in
resource
"aws_iam_instance_profile" "master":
ERROR 9: resource "aws_iam_instance_profile" "master" {
FATAL failed to fetch Cluster: failed to generate asset "Cluster": failed to
create cluster: failed
to apply using Terraform
Solution to Fix
Manually deletion is recommended in this case.
List your roles and then apply delete to the instance profiles.
$ aws iam list-roles
$ aws --region=<region-name> iam delete-instance-profile --instance-profile-name <profile_name>
Example Given Below
$ aws --region=us-east-1 iam delete-instance-profile --instance-profile-name ocp4-925gm-master-profile
$ aws --region=us-east-1 iam delete-instance-profile --instance-profile-name ocp4-925gm-worker-profile
Reference Link
Clarification: Before deleting iam profile on aws make sure that you do not have any aws ec2 instances running with the instance profile you are about to delete. Deleting a role or instance profile that's associated with a running instance will break any applications running on the instance. for documentation use this link.
aws iam delete-instance-profile --instance-profile-name <profile-name>
I am creating an Aws Emr cluster with AWS Java SDK. Below is the code snippet.
JobFlowInstancesConfig jobFlowInstanceConfig = new JobFlowInstancesConfig()
.withEc2SubnetId(config.getEc2SubnetId())
.withEc2KeyName(config.getEc2KeyName())
.withInstanceCount(config.getInstanceCount())
.withKeepJobFlowAliveWhenNoSteps(true)
.withMasterInstanceType(config.getMasterInstanceType())
.withSlaveInstanceType(config.getSlaveInstanceType());
RunJobFlowRequest request = new RunJobFlowRequest()
.withName(clusterName)
.withReleaseLabel(config.getReleaseLabel())
.withApplications(applications)
.withLogUri(config.getLogUri())
.withServiceRole(config.getServiceRole())
.withJobFlowRole(config.getJobFlowRole())
.withInstances(jobFlowInstanceConfig);
RunJobFlowResult runJobFlowResult = emrClient.runJobFlow(request);
As you can see I am setting "JobFlowRole" using .withJobFlowRole(config.getJobFlowRole()), but it is taking default values which does not have permission to create cluster.
I am getting following error:
com.amazonaws.services.elasticmapreduce.model.AmazonElasticMapReduceException: User: arn:aws:sts::6...0:assumed-role/default-role/i-0...4 is not authorized to perform: iam:PassRole on resource: arn:aws:iam::6...0:role/EMR_DefaultRole (Service: AmazonElasticMapReduce; Status Code: 400; Error Code: AccessDeniedException; Request ID: a...f)
at com.amazonaws.http.AmazonHttpClient$RequestExecutor.handleErrorResponse(AmazonHttpClient.java:1701)
at com.amazonaws.http.AmazonHttpClient$RequestExecutor.executeOneRequest(AmazonHttpClient.java:1356)
at com.amazonaws.http.AmazonHttpClient$RequestExecutor.executeHelper(AmazonHttpClient.java:1102)
Help please.
The JobFlowRole is the role of EMR service and this is not the role for creation EMR. See documentation.
You should have the right permission to create an EMR where you used to get the AWS credentials. The iam:PassRole is missing for your credentials.
I used to deploy a Java web application to Elastic Beanstalk (EC2) as root user without this problem. Now I'm using a recommended way of deploying as IAM service user and I get the following errors. I suspect it's because of lack of permissions (policies) but I don't know what policies should I assign to the IAM user.
QUESTION: Could you help me in finding the right policies?
commands:
eb init --profile eb_admin
eb create --single
output of the 2nd command:
Printing Status:
2019-05-26 12:08:58 INFO createEnvironment is starting.
2019-05-26 12:08:59 INFO Using elasticbeanstalk-eu-central-1-726173845157 as Amazon S3 storage bucket for environment data.
2019-05-26 12:09:26 INFO Created security group named: awseb-e-ire9qdzahd-stack-AWSEBSecurityGroup-L5VUAQLDAA9F
2019-05-26 12:09:42 ERROR Stack named 'awseb-e-ire9qdzahd-stack' aborted operation. Current state: 'CREATE_FAILED' Reason: The following resource(s) failed to create: [MountTargetSecurityGroup, AWSEBEIP, sslSecurityGroupIngress, FileSystem].
2019-05-26 12:09:42 ERROR Creating security group failed Reason: The vpc ID 'vpc-7166611a' does not exist (Service: AmazonEC2; Status Code: 400; Error Code: InvalidVpcID.NotFound; Request ID: c1d0ce4d-830d-4b0c-9f84-85d8da4f7243)
2019-05-26 12:09:42 ERROR Creating EIP: 54.93.84.166 failed. Reason: Resource creation cancelled
2019-05-26 12:09:42 ERROR Creating security group ingress named: sslSecurityGroupIngress failed Reason: Resource creation cancelled
2019-05-26 12:09:44 INFO Launched environment: stack-overflow-dev. However, there were issues during launch. See event log for details.
Important!
I use a few .ebextensions scripts in order to initialize the environment:
nginx
https-instance-securitygroup
storage-efs-createfilesystem
storage-efs-mountfilesystem
After reviewing the logs, I also noticed that I forgot to create VPC which is required for EFS filesystem. Could it be that 1 failed script (storage-efs-createfilesystem) is the root cause of subsequent failing operations?
Yes, the lack of VPC has caused the other resources to fail to create. Elastic Beanstalk and the storage-efs-createfilesystem extension use CloudFormation underneath.
storage-efs-createfilesystem Cfn template creates MountTargetSecurityGroup SG and that failed due to lack of VPC. The AWSEBEIP, sslSecurityGroupIngress and FileSystem resource creation is then cancelled.
I've been trying to use Codestar on AWS Ruby on Rails using Elastic Beanstalk. I tried applying and assigning auto scaling full access policies to no avail. Can anybody help me navigate around these errors? Also using root account. Tried assigning this under roles but no success.
Error messages:
Creating Auto Scaling group failed Reason: API: autoscaling:CreateAutoScalingGroup The default Service-Linked Role for Auto Scaling could not be created. com.amazonaws.services.identitymanagement.model.AmazonIdentityManagementException:
User: arn:aws:sts::**********:assumed-role/CodeStarWorker-phcnetworks-net-CloudFormation/AWSCloudFormation is not authorized to perform: iam:CreateServiceLinkedRole on resource: arn:aws:iam::**************:role/aws-service-role/autoscaling.amazonaws.com/AWSServiceRoleForAutoScaling
(Service: AmazonIdentityManagement; Status Code: 403; Error Code: AccessDenied; Request ID: *******-******-*******)
Stack named 'awseb-e-*********-stack' aborted operation. Current state: 'CREATE_FAILED' Reason: The following resource(s) failed to create: [AWSEBAutoScalingGroup].
The reported error says that the role "CodeStarWorker-phcnetworks-net-CloudFormation" is not authorized to perform operation iam:CreateServiceLinkedRole on the set of resources defined in IAM policy.So action "CreateServiceLinkedRole" needs to be added to the role for your autoscaling policies to succeed.