I am following the instrutions at https://aws.amazon.com/getting-started/projects/build-modern-app-fargate-lambda-dynamodb-python/module-four/
aws apigateway create-deployment --rest-api-id a2kpkzqme1 --stage-name prod
An error occurred (BadRequestException) when calling the CreateDeployment operation: The Vpc link is not yet available for deployment
I had the same issue. So I checked the status of creation of the VPC Link:
aws apigateway get-vpc-link --vpc-link-id MY_VPC_LINK_ID
It showed, that creation failed:
{
"id": "xxxxxx",
"name": "MysfitsApiVpcLink",
"targetArns": [
"arn:aws:elasticloadbalancing:MY_REGION:MY_ID:loadbalancer/net/mysfits-nlb"
],
"status": "FAILED",
"statusMessage": "NLB ARN is malformed",
"tags": {}
}
So the failure I made was a wrong NLB ARN. I forgot something at the end.
I repeated all steps from the creation of the VPC Link (with right NLB ARN). Then it worked for me.
Related
I can delete aws transit gateway attachment via UI, but not via aws cli:
% /usr/local/bin/aws ec2 describe-transit-gateway-attachments --region ca-central-1 --transit-gateway-attachment-ids tgw-attach-00f7dc90293fb83a3
{
"TransitGatewayAttachments": [
{
"TransitGatewayAttachmentId": "tgw-attach-00f7dc90293fb83a3",
"TransitGatewayId": "tgw-0d86b5d260027d803",
"TransitGatewayOwnerId": "478397617193",
"ResourceOwnerId": "478397617193",
"ResourceType": "peering",
"ResourceId": "tgw-04de1919be2d38d6d",
"State": "available",
"Association": {
"TransitGatewayRouteTableId": "tgw-rtb-03d7c372b2f126709",
"State": "associated"
},
"CreationTime": "2022-11-04T09:44:45+00:00",
}
]
}
% aws ec2 delete-transit-gateway-vpc-attachment --transit-gateway-attachment-id tgw-attach-00f7dc90293fb83a3 --region ca-central-1
An error occurred (InvalidTransitGatewayAttachmentID.NotFound) when calling the DeleteTransitGatewayVpcAttachment operation: Transit Gateway VPC Attachment tgw-attach-00f7dc90293fb83a3 was deleted or does not exist.
Why do i get this error ? It clearly exists (we can see it via aws cli and console UI). I can also delete it from UI. I have full admin right when using aws cli.
Thanks,
I am trying to create a cloud formation stack using AWS Events to trigger an API call on a schedule. Most of the stack is working, however, the AWS::Events::ApiConnection is failing to create and I am not sure why.
This is the CF snippet that is failing: (Note, The API doesn't have any authentication yet, however, cloud formation requires the AuthParameters property)
"CronServerApiConnection": {
"Type": "AWS::Events::Connection",
"Properties": {
"Name": "api-connection",
"AuthorizationType": "API_KEY",
"AuthParameters": {
"ApiKeyAuthParameters": {
"ApiKeyName": "foo",
"ApiKeyValue": "bar"
}
}
}
},
In the cloud formation console this fails to create with the following error:
Resource handler returned message: "Error occurred during operation 'AWS::Events::Connection'." (RequestToken: xxxxxxxxxxxxxxxxx, HandlerErrorCode: GeneralServiceException)
I can't for the life of me figure this one out. from what I can see my CF snippet matches exactly what AWS specify in their docs here https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-events-connection.html
I ran into this issue myself a few weeks ago, and while looking for an answer I found this question unresolved so I thought I would share the answer. The events API is not descriptive at all with any of the errors, in my case the issues were permissions related. While is not clear in the documentation the AWS::Events::Connection not only needs permissions for the events API but also for the secretsmanager API since it will create some secrets for you under the hood. I solved this by adding full API permissions to the role creating the stack but of course I scoped the permissions by the resource to avoid security issues, something like:
effects: "Allow"
actions: [
"events:*",
"secretsmanager:*"
]
resources: [
"arn:aws:secretsmanager:<your region>:<your-account-id>:secret:events!connection/<yoursecretnameprefix>-*"
]
I will leave the addition of the event resource to you, but essentially is the same just scope by the arn of your resource. The above is just an example please replace the placeholders with the correct values.
(Solved)
I missed this mention on the aws user guide You can use the AmazonEC2FullAccess policy to give users complete access to work with Amazon EC2 Auto Scaling resources, launch templates, and other EC2 resources in their AWS account
Now I added permissions as same as on the AmazonEC2FullAccess policy on my custom policy, and the lambda is working well.
The AmazonEC2FullAccess has full permissions of CloudWatch, EC2, EC2 Auto Scaling, ELB, ELB v2, and limited IAM write permission.
#Marcin _ Thanks! your comment made me check this part.
I'm trying to update the ASG with 'updateAutoScalingGroup' API on lambda.
But this error "AccessDenied: You are not authorized to use launch template" is blocking me...
At the first time, I applied only related permissions on the IAM policy depend on the document, but now I allowed full permissions of EC2 and Autoscaling on the policy to solve this issue.
But no lucks.
On google, I saw some posts that saying this is just an error, or issue from AMI existence.
But my AMI for the launch template is in the same account, same region...
Could you give me some hint or reference to solve this?
Thanks
const AWS = require('aws-sdk')
exports.handler = (event) => {
const autoscaling = new AWS.AutoScaling()
const { asgName, templateName, version } = event
const params = {
AutoScalingGroupName: asgName,
LaunchTemplate: {
LaunchTemplateName: templateName,
Version: version
},
MaxSize: 4,
MinSize: 1,
DesiredCapacity: 1
}
autoscaling.updateAutoScalingGroup(params, async (err, data)=> {
if(err) console.log("err---", err)
else console.log("data---", data)
})
};
Below was added after the comments from Marcin, John Rotenstein, samtoddler
Now the policy has full permission for EC2, EC2 Auto Scaling, EC2 Image Builder, Auto Scaling, and some permissions on CloudWatch Logs. But no lucks yet.
The AMI is in the same account, same region. And I added the account number on the 'Modify Image Permissions' on it. (I don't know well on this but just tried.)
describeLaunchTemplates() shows the launchTemplate which I want to use.
CloudTrail shows 'RunInstances' and 'UpdateAutoScalingGroup' events. 'RunInstances' returned "errorCode": "Client.UnauthorizedOperation", and 'UpdateAutoScalingGroup' returned "errorCode": "AccessDenied", "errorMessage": "An unknown error occurred"
Without LaunchTemplate part, API is working well. (I tried update the min and max count only, and it succeed.)
Even I changed AMI as public, it's not working for this.
Now I'm trying to search about launch template and AMI related configuration..
Unfortunately, the errors provided by AWS in some cases are very unclear and could mislead.
Besides checking that you have the proper rights, this error is also returned when you are trying to create an autoscaling group with an invalid AMI or one that doesn't exist.
Actually, problem is your EC2 instance is having an IAM Role which you are not authorised to use it. Add below policy to lambda or whatever role or IAM user you using to pass the role that is attached to EC2 instance. Once that is done it will start working.
{
"Version": "2012-10-17",
"Statement": [{
"Effect": "Allow",
"Action": [
"iam:GetRole",
"iam:PassRole"
],
"Resource": "arn:aws:iam::account-id:role/EC2-roles-for-XYZ-*"
}]
}
I have created a lambda instance, then used the 'automagic' button in lambda to create an http API gateway. I have modified the log output within the API Gateway instance, but not much else. When I call it within my application, I'm getting an intermittent error (API Gateway log):
{
"requestId": "xxxx",
"ip": "xx.xx.xx.xx",
"requestTime": "10/Jan/2020:18:47:08 +0000",
"httpMethod": "GET",
"routeKey": "/Current",
"status": "500",
"protocol": "HTTP/1.1",
"responseLength": "35",
"error": "Internal Server Error",
"error response type": "INTEGRATION_FAILURE"
}
When this happens, it doesn't seem to be hitting the lambda instance at all (duh! integration failure!). Or at least there's nothing in the lambda log.
But if I reload the web page that makes the call a couple of times, the error no longer appears.
Does the lambda instance need to 'wake up'? I tried a 'pre-call' within my application, under the assumption that this was the case and it didn't seem to help.
What is happening and what can I do to avoid the blank screen my customer is seeing?
UPDATE: I have checked the permissions, and run the command necessary to make sure they are correct:
aws lambda add-permission \
--statement-id [statement id] \
--action lambda:InvokeFunction \
--function-name [lambda function name] \
--principal apigateway.amazonaws.com \
--source-arn [source arn]
It didn't help.
Did you by any chance configure an authorizer that's piped into the API Gateway?
I am trying to create a lifecycle event for an autoscaling group in AWS Amazon cloudformation, however I keep getting a really ambiguous error back when deploying my stack:
Unable to publish test message to notification target
arn:aws:sns:us-east-1:000000000000:example-topic using IAM role arn:aws:iam::000000000000:role/SNSExample. Please check your target and role configuration and try to put lifecycle hook again.
I have tested the SNS topic and it can send emails fine and my code appears to be in line with what Amazon suggest:
"ASGLifecycleEvent": {
"Type": "AWS::AutoScaling::LifecycleHook",
"Properties": {
"AutoScalingGroupName": "ASG-179ZOVNY8SEFT",
"LifecycleTransition": "autoscaling:EC2_INSTANCE_LAUNCHING",
"NotificationTargetARN": "arn:aws:sns:us-east-1:000000000000:example-topic",
"RoleARN": "arn:aws:iam::000000000000:role/SNSExample"
},
"Metadata": {
"AWS::CloudFormation::Designer": {
"id": "83129091-8efc-477d-86ef-9a08de4d6fac"
}
}
}
And I have granted full access to everything in that IAM role, however I still get this error message. Does anyone have any other ideas what could really be causing this error?
Your SNSExample role needs to delegate permissions from the AutoScalingNotificationAccessRole managed policy to the autoscaling.amazonaws.com service via an associated Trust Policy (the AssumeRolePolicyDocument Property in the CloudFormation Resource):
SNSExample:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Statement:
- Effect: Allow
Principal:
Service: [autoscaling.amazonaws.com]
Action: ['sts:AssumeRole']
Path: /
ManagedPolicyArns:
- arn:aws:iam::aws:policy/service-role/AutoScalingNotificationAccessRole
(You can also delegate access to sns:Publish action instead of using the managed policy, but I recommend the managed policy because it will stay up to date if additional permissions are required for this service in the future.)
See the Receive Notification Using Amazon SNS part of the Auto Scaling Lifecycle Hooks section of the Auto Scaling User Guide for more information.