I was installing openshift 4.4.9 on my AWS Cluster using Installer Provisioned Infrastructure (IPI), I wasn't successful to spin up my openshift cluster on AWS. Because of below error.
INFO Creating infrastructure resources...
ERROR
ERROR Error: Error creating IAM instance profile ocp4-925gm-bootstrap-
profile: EntityAlreadyExists:
Instance Profile ocp4-925gm-bootstrap-profile already exists.
ERROR status code: 409, request id: b6918967-774c-44c1-8b92-02ac7388f87c
ERROR
ERROR on ../../../tmp/openshift-install-584826335/bootstrap/main.tf line 46, in resource
"aws_iam_instance_profile" "bootstrap":
ERROR 46: resource "aws_iam_instance_profile" "bootstrap" {
ERROR Error: Error creating IAM instance profile ocp4-925gm-worker-profile: EntityAlreadyExists:
Instance Profile ocp4-925gm-worker-profile already exists.
ERROR status code: 409, request id: 3b5d2b9c-28fe-4c95-b622-7a80af45dfb6
ERROR
ERROR on ../../../tmp/openshift-install-584826335/iam/main.tf line 5, in resource
"aws_iam_instance_profile" "worker":
ERROR 5: resource "aws_iam_instance_profile" "worker" {
ERROR Error: Error creating IAM instance profile ocp4-925gm-master-profile: EntityAlreadyExists:
Instance Profile ocp4-925gm-master-profile already exists.
ERROR status code: 409, request id: 072d86e1-3508-4d59-a6ab-2ed647251056
ERROR
ERROR on ../../../tmp/openshift-install-584826335/master/main.tf line 9, in
resource
"aws_iam_instance_profile" "master":
ERROR 9: resource "aws_iam_instance_profile" "master" {
FATAL failed to fetch Cluster: failed to generate asset "Cluster": failed to
create cluster: failed
to apply using Terraform
Solution to Fix
Manually deletion is recommended in this case.
List your roles and then apply delete to the instance profiles.
$ aws iam list-roles
$ aws --region=<region-name> iam delete-instance-profile --instance-profile-name <profile_name>
Example Given Below
$ aws --region=us-east-1 iam delete-instance-profile --instance-profile-name ocp4-925gm-master-profile
$ aws --region=us-east-1 iam delete-instance-profile --instance-profile-name ocp4-925gm-worker-profile
Reference Link
Clarification: Before deleting iam profile on aws make sure that you do not have any aws ec2 instances running with the instance profile you are about to delete. Deleting a role or instance profile that's associated with a running instance will break any applications running on the instance. for documentation use this link.
aws iam delete-instance-profile --instance-profile-name <profile-name>
Related
I got an issue below when try creating an iam_user by Terraform:
Error: failed creating IAM User (iam_user_test):
InvalidClientTokenId: The security token included in the request is invalid
Status code: 403, request id: xxxxxxxx
I can use this aws credentials (access_key, access_secret) to get other services (S3, EC2, ...) but is not with IAM:
ubuntu#foo:/mnt/d/workspace/$ aws s3 ls
2022-10-05 10:31:10 aaaa
2022-09-07 23:23:50 bbbb
2022-09-07 14:42:34 cccc
ubuntu#foo:/mnt/d/workspace/$ aws iam get-user
An error occurred (InvalidClientTokenId) when calling the GetUser operation: The security token included in the request is invalid
AWS CLI version: aws-cli/2.7.29
AWS Provider version: terraform-provider-aws_v4.33.0_x5
Terraform version: v1.2.8
OS: ubuntu subsytem 20.04.4
Note:
I use AWS VAULT to generate the credentials (access_key, secret_key)
I can create a new IAM User via AWS Console by the account run Terraform or AWS CLI above.
Thanks all
I have a php application running on ECS Fargate 1.14.
aws-sdk-php version is 3.
I want to get secret value stored in AWS SecretsManager by IAM Role, not by AWS Access key/ID for a security reason.
I set SecretsManagerClient like this.
$config = [
'version' => '2017-10-17',
'region' => 'ap-northeast-1',
];
return new SecretsManagerClient($config);
I didn’t add ‘credentials’ because I want to access SecretsManager by IAM role.
The “Task Role” (not Task Execution Role) of my container has policy “SecretsManagerReadWrite”.
However, I can’t access SecretsManager with this error.
Error: [Aws\Exception\CredentialsException] Error retrieving credentials from the instance profile metadata service. (cURL error 7: (see https://curl.haxx.se/libcurl/c/libcurl-errors.html)) in /share/swell/cgi-bin/vendor/aws/aws-sdk-php/src/Credentials/InstanceProfileProvider.php on line 240
What does this message means?
I know AWSClient looks for credentials in a order below:
1 Load credentials from environment variables.
2 Load credentials from a credentials .ini file.
3 Load credentials from an IAM role.
Doesn't this situation apply to No.3?
Or am I attaching the wrong policy?
Add info on 2021/06/18
I changed the policy attached to ECS Task Role to "PowerUserAccess". The error message changed to 404.
2021-06-18 01:52:12 Error: [Aws\Exception\CredentialsException] Error retrieving credentials from the instance profile metadata service. (Client error: `GET http://169.254.169.254/latest/meta-data/iam/security-credentials/` resulted in a `404 Not Found` response:
It was because EC2 and ECS have different locations for obtaining credentials information.
EC2
http://169.254.169.254/latest/meta-data/iam/security-credentials/
ECS
http://169.254.170.2$AWS_CONTAINER_CREDENTIALS_RELATIVE_URI
I had to set environment variable "AWS_CONTAINER_CREDENTIALS_RELATIVE_URI" to my web app container.
I added this line to my Dockerfile and now I’m able to access SecretsManager.
RUN echo 'export $(strings /proc/1/environ | grep AWS_CONTAINER_CREDENTIALS_RELATIVE_URI)' >> /etc/bashrc
https://forums.aws.amazon.com/thread.jspa?threadID=273767
I've successfully created an EKS cluster and some other resources via a terraform script. However, I am unable to successfully complete the terraform destroy. I get the following error upon deletion of EKS cluster:
Error: error deleting EKS Cluster (cluster-name): AccessDeniedException:
status code: 403, request id: request-uuid
Any ideas?
The role I'm using needs to allow the eks:DeleteCluster operation in its policy.
I'm new to AWS and I'm trying to deploy Kubernetes for some tutorial purposes using kops.
For that, I'm using a trial AWS account and I started following this practical guide to do it but I have an issue with this command :
kops create cluster --node-count=2 --node-size=t2.medium --zones=us-east-1a
which gives me the following error :
I0119 16:14:49.647701 13949 create_cluster.go:517] Inferred --cloud=aws from zone "eu-west-3a"
error populating configuration: error querying for valid AZs in "eu-west-3" - verify your AWS credentials. Error: UnauthorizedOperation: You are not authorized to perform this operation.
status code: 403, request id: a1f6e99f-76d6-4c3f-95bb-416cc2d67f2e
I wonder if it's not related to some limited access due to my trial AWS account !
Looks like AWS credentials are not properly setup, verify them with e.g.:
$ aws sts get-caller-identity
{
"Account": "<number>",
"UserId": "AI...",
"Arn": "arn:aws:iam::<number>:user/<user>"
}
The problem was that I don't have enough rights to do it since my user had only AmazonS3FullAccess.
Now I added :
AmazonEC2FullAccess
AmazonRoute53FullAccess
IAMFullAccess
AmazonVPCFullAccess
I am trying to build an EMR cluster through terraform. But I am getting following error on applying the code. IAM_EMR_for_EC2 is the instance profile role I created for EC2 in the cluster to assume.
1 error(s) occurred:
aws_emr_cluster.tf-test-cluster: 1 error(s) occurred:
aws_emr_cluster.tf-test-cluster: ValidationException: Instance profile 'arn:aws:iam:::role/IAM_EMR_for_EC2' is not
well-formed. Expected a resource of type INSTANCE_PROFILE.
status code: 400, request id: 6bd4461c-637f-11e8-8605-c930816c10b8
Could someone help me as I am not able to understand this error nor I could it find any details on google.
You're applying a role rather than an instance profile, they are actually different. The ARN needs to be in the format of arn:aws:iam::336924118301:instance-profile/ExampleInstanceProfile.
A role needs to be attached to an instance profile resource.
You should write instance_profile = "${aws_iam_instance_profile.emr_profile.arn}".
And also create emr_profile resource:
resource "aws_iam_instance_profile" "emr_profile" {
name = "emr_profile"
role = "${aws_iam_role.EMR_EC2_DefaultRole.name}"
}