I'm new to AWS and I'm trying to deploy Kubernetes for some tutorial purposes using kops.
For that, I'm using a trial AWS account and I started following this practical guide to do it but I have an issue with this command :
kops create cluster --node-count=2 --node-size=t2.medium --zones=us-east-1a
which gives me the following error :
I0119 16:14:49.647701 13949 create_cluster.go:517] Inferred --cloud=aws from zone "eu-west-3a"
error populating configuration: error querying for valid AZs in "eu-west-3" - verify your AWS credentials. Error: UnauthorizedOperation: You are not authorized to perform this operation.
status code: 403, request id: a1f6e99f-76d6-4c3f-95bb-416cc2d67f2e
I wonder if it's not related to some limited access due to my trial AWS account !
Looks like AWS credentials are not properly setup, verify them with e.g.:
$ aws sts get-caller-identity
{
"Account": "<number>",
"UserId": "AI...",
"Arn": "arn:aws:iam::<number>:user/<user>"
}
The problem was that I don't have enough rights to do it since my user had only AmazonS3FullAccess.
Now I added :
AmazonEC2FullAccess
AmazonRoute53FullAccess
IAMFullAccess
AmazonVPCFullAccess
Related
I created a cluster.yaml file which contains the below information:
---
apiVersion: eksctl.io/v1alpha5
kind: ClusterConfig
metadata:
name: eks-litmus-demo
region: ${AWS_REGION}
version: "1.21"
managedNodeGroups:
- instanceType: m5.large
amiFamily: AmazonLinux2
name: eks-litmus-demo-ng
desiredCapacity: 2
minSize: 2
maxSize: 4
EOF
When i run $ eksctl create cluster -f cluster.yaml to create the cluster through my terminal, I get the below error:
Error: checking AWS STS access – cannot get role ARN for current session: MissingEndpoint: 'Endpoint' configuration is required for this service
How can I resolve this? Please help!!!
Note: I have the global and regional endpoints under STS set to "valid in all AWS regions".
In my case, it was a typo in the region. I had us-east1 as the value. When it is corrected to us-east-1, the error disappeared. So it is worth checking if there are typos in any of the fields.
mention --profile if you use any aws profile other than default
eksctl create cluster -f cluster.yaml --profile <profile-name>
My SSO session token had expired:
aws sts get-caller-identity --profile default
The SSO session associated with this profile has expired or is otherwise invalid. To refresh this SSO session run aws sso login with the corresponding profile.
Then I needed to refresh my SSO session token:
aws sso login
Attempting to automatically open the SSO authorization page in your default browser.
If the browser does not open or you wish to use a different device to authorize this request, open the following URL:
https://device.sso.us-east-2.amazonaws.com/
Then enter the code:
XXXX-XXXX
Successfully logged into Start URL: https://XXXX.awsapps.com/start
Error: checking AWS STS access – cannot get role ARN for current session:
According to this, I think its not able to get the role (in your case, cluster creator's role) which is responsible to create the cluster.
Create an IAM user with appropriate role. Attach necessary policies to that role to create the EKS cluster.
Then you can use aws configure command to add the AWS Access Key ID, AWS Secret Access Key, and Default region name.
[Make sure that the user has the appropriate access to create and access the eks cluster in your aws account. You can use aws cli to verify if you have the appropriate access]
It is important to configure the default profile for AWS CLI correctly on the command line using
set AWS_ACCESS_KEY_ID <your_access_key>
set AWS_SECRET_ACCESS_KEY <your_secret_key>
I am using an assumed role, all environment variables has been set (AWS_SESSION_TOKEN, AWS_SECURITY_TOKEN, AWS_SECRET_ACCESS_KEY, and AWS_ACCESS_KEY_ID)
When I call aws sts get-caller-identity on my default region (ap-southeast-1) it doesn't have a problem
$ awsudo -u somerolename aws sts get-caller-identity --region ap-southeast-1
{
"UserId": "XXXXXYYYYYZZZZZZ:botocore-session-1234567",
"Account": "111122223333",
"Arn": "arn:aws:sts::111122223333:assumed-role/somerolename/botocore-session-2222333344"
}
But when I change it to the region that I am trying to work on (ap-southeast-3), an error happens
$ awsudo -u somerolename aws sts get-caller-identity --region ap-southeast-3
An error occurred (InvalidClientTokenId) when calling the GetCallerIdentity operation: The security token included in the request is invalid
How do I resolve this?, I have tried other regions as well, but it seems only ap-southeast-1 works
I think you are facing this issue, because ap-southeast-3 region is not enabled for your account. You can check if it is enabled by running the following command:
aws ec2 describe-regions --region-names ap-southeast-3
If your region is not enabled, you will get the following response:
{
"Regions": [
{
"Endpoint": "ec2.ap-southeast-3.amazonaws.com",
"RegionName": "ap-southeast-3",
"OptInStatus": "not-opted-in"
}
]
}
In order to enable it, you just have to follow the instructions from the AWS docs:
To enable a Region
Sign in to the AWS Management Console.
In the upper right corner of the console, choose your account name or number and then choose My Account.
In the AWS Regions section, next to the name of the Region that you want to enable, choose Enable.
In the dialog box, review the informational text and choose Enable Region.
Wait until the Region is ready to use.
Please note, enabling a region may take some time. As far as I've experienced, this time is fairly short. You should get an email as soon as the region is enabled.
Ok, so apparently I had to make Global endpoints to be valid in all regions for STS
More on that is discussed in this docs here in the "Managing global endpoint session tokens" section
I ran into a problem with AWS instance when I was trying to import self signed SSL certificate to IAM console following this tutorial -> https://docs.aws.amazon.com/elasticbeanstalk/latest/dg/configuring-https-ssl.html
Basically tutorial is made to self sign a certificate and upload it to IAM user to have HTTPS application for testing purposes.
I SSH to my instance and ran all those commands, but in the end when I need to import it I get the error that my account is not authorized...
An error occurred (AccessDenied) when calling the
UploadServerCertificate operation: User:
arn:aws:sts::xxxxxxxxx:assumed-role/aws-elasticbeanstalk-ec2-role/xxxxxxx
is not authorized to perform: iam:UploadServerCertificate on resource:
arn:aws:iam::xxxxxxxxx:server-certificate/elastic-beanstalk-x509
I'm logged in as a ec2-user into the instance because I didn't find a way to log in with any other user...
I tried running command as sudo and nothing changes. On a similar post I have seen that I need to create a specific IAM user to which I need to append specific group policy to have "IAMFullAccess" policy. But I don't understand how can I specify that I want to run this command as this user since I am logged in as ec2-user on SSH...
You need to do some reading: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_switch-role-ec2.html
Create an IAM role with Upload permission
Add a trust policy to the role that it will allow it to be assumed by your EC2 instance
Attach the role to the EC2 instance
From your error it seems that you are using Elastic Beanstalk. This means that you already have a role that is assumed by your EC2. Find this role (xxxxx in the error message) and add the appropriate permissions.
Okay I have managed to add the certificate to the instance...
aws iam list-server-certificates {
"ServerCertificateMetadataList": [
{
"ServerCertificateId": "id",
"ServerCertificateName": "elastic-beanstalk-x509",
"Expiration": "2022-10-21T13:07:11Z",
"Path": "/",
"Arn": "arn",
"UploadDate": "2021-10-21T13:42:39Z"
}
] }
I also added Listener and proces on "Modify Application Load Balancer" but the site is still not responding to HTTPS requests... Any idea?
I've been trying to access a project in AWS devicefarm using AWS CLI.
Steps taken:
Downloaded the AWS CLI tool
Configured my credentials according to: https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-quickstart.html using aws configure command
executed aws devicefarm list-uploads --arn myProjectArn
and what i get is this error:
An error occurred (AccessDeniedException) when calling the ListUploads operation:
User: arn:aws:iam::replacingANumber:user/myUserName is not authorized to perform: devicefarm:ListUploads
on resource:
arn:aws:devicefarm:us-west-2:replacingANumber:project:replacingALongString with an explicit deny
The docs:https://docs.aws.amazon.com/eks/latest/userguide/troubleshooting_iam.html say i'm missing permissions, but devOps team in my company says i have all the permissions.
What am I missing?
Either misconfigured AWS CLI or insufficient permissions.
This can be 2 things:
Your AWS CLI is misconfigured. Make sure that when you run aws sts get-caller-identity, you get the same role as the one that the devops team claims to have the correct permission. Also, make sure that your default region is us-west-2.
If the above is correctly setup, then it comes from the permissions defined in the IAM policy. If you are able to view the policy associated with your user/role, you can check out the policy simulator to figure out which permission is missing.
While creating AWS EMR cluster, always i get the issue- Service role EMR_DefaultRole has insufficient EC2 permissions
And the cluster terminates automatically, have even done steps as per aws documentation of recreating emr specific roles, but no progress please guide how to resolve the issue- Service role EMR_DefaultRole has insufficient EC2 permissions
EMR needs two roles to start the cluster 1) EC2 Instance profile role 2)EMR Service role. The service role should have enough permissions to provision new resources to start the cluster, EC2 instances, their network etc. There could be many reasons for this common error:
Verify the resources and their actions. Refer https://docs.aws.amazon.com/emr/latest/ManagementGuide/emr-iam-role.html.
Check if you are passing the tag that signifies if cluster needs to use emr managed policy.
{
"Key": "for-use-with-amazon-emr-managed-policies",
"Value": "true"
}
At last try to find out the exact reason from cloud trail. Go to aws>cloud trail. From the event history configuration enable the error code so that you can see the exact error. If you find the error code something like 'You are not authorized to perform this operation. Encoded authorization failure message'. Then open the event history details, pick up the encrypted error message and decrypt using aws cli
aws sts decode-authorization-message message. This will show you the complete role details, event, resources, action. Compare it with AWS IAM permissions and you can find out the missing permission or parameter that you need to pass while creating the job flow.