I'am trying to add kubernetes cluster to my Gitlab repository using Amazon EKS. Authentication step is going successful, but on cluster creating via Gitlab step I getting following troubles:
Gitlab can't receive IAM Roles and I can't pick them.
Gitlab can't receive regions from AWS account.
Form errors
I guess AWS account have enough roles to show, I have roles with full IAM access.
Then I decided to check browser dev tools and found that there are some errors with accessing Amazon services.
Error pattern: Refused to connect to '<URL>' because it violates the following Content Security Policy directive: "connect-src 'self' <URL> <URL> <URL> <URL> <URL> <URL> <URL>".
Console errors
I thought this is a problem with adblocker extension and I tried to use clean browser, but I got same throubles.
Related
We are calling the K8S API to get version of the cluster.
The URL is https://:443/version .
But the HTTP request is failing with this error - GET request to the remote host failed [HTTP-Code: 401]: {"kind":"Status","apiVersion":"v1","metadata":{},"status":"Failure","message":"Unauthorized","reason":"Unauthorized","code":401}
This call is working in other AWS regions for ex us-east-2(ohio), us-east-1, ap-south-1 etc. But specifically failing in this region.
I have checked IAM console this region is enables for STS service
While calling the K8S API we are passing STS token (with standard AWS signature calculation).
So I am not getting why it is failing in only a specific region?
I can access that cluster using AWS EKS CLI. All the operations on that cluster are working fine. kubectl is also in working state.
I am trying to connect to AWS neptune DB after enabling IAM DB authorisation and it is not able to connect and failing with below error.
{"code":"AccessDeniedException","requestId":"68bbc87a-cbf6-31d3-5829-91f32062239f","detailedMessage":"Missing Authentication Token"}
However Its working fine with disabling IAM DB authorisation.
I have created a policy (using link https://docs.aws.amazon.com/neptune/latest/userguide/iam-auth-policy.html) to connect to neptune DB and attached the policy to IAM role which is being added to the ec2 instance. I can able to telnet to neptune DB endpoint with 8182 port.
Can someone please help.
When IAM authentication is enabled, requests to the HTTP endpoint must be signed using SigV4. You can use a tool like awscurl to do this.
Here is an example from the Amazon Neptune documentation that I have modified slightly to have it point to the /status endpoint.
Set the AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY environment variables correctly (and
also AWS_SECURITY_TOKEN if you are using temporary credential). You can also pass these as parameters to awscurl. Then use a command such as (change the region to be your region).
awscurl -X GET --service neptune-db --region us-west-2 "$SYSTEM_ENDPOINT/status"
You can get temporary credentials using sts via the AWS CLI tools as follows:
aws sts get-session-token
If you are running on an EC2 instance you can get the tokens from the metadata service so long as the EC2 instance has a role attached that has access to Neptune. More details here: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/instancedata-data-retrieval.html
I am trying to build CI/CD using AWS CodePipeline.
I am integrating the Git lab with AWS S3.I am using this link -
https://aws.amazon.com/quickstart/architecture/git-to-s3-using-webhooks/
When the code is pushed into a specific branch, the AWS API is called. ( I can see in the CloudWatch logs). But I am getting below error -
Failed to authenticate SSH session: Waiting for USERAUTH response:
GitError
Do I need to configure the GITlab username/keys anywhere on AWS/S3/Cloudformation side?
I have configured GIT PULL URL ( GitPullWebHookApi) on the Gitlab Webhooks side.
I have configured, the PublicSSHKey from AWS S3 Cloudformation into the Secret Token in Gitlab.
Am I missing any step?
Is there any document which specifies the steps to configure the Gitlab keys/user credentials for this integration?
Add the SSH public key resource "PublicSSHKey" generated by the Cloudformation Stack in the Gitlab user public key settings. Please remember that the public needs to added to each user's account who need to invoke the pipeline when committing a change in the Git repository. The Outputs tab for the CloudFormation stack contain the two webhook endpoint URLs, the output bucket name, and the public SSH key [1].
[1] https://aws-quickstart.s3.amazonaws.com/quickstart-git2s3/doc/git-to-amazon-s3-using-webhooks.pdf
I have k8s clusters on AWS working with ECR and pulling images from all regions. This works fine.
But when I try to pull images from a different account they get "no such host". I followed these instructions to set iam permissions (and the docs). I'm not getting permission denied - I'm getting this:
Failed to pull image "<acc id>.dkr.ecr.ap-outheast-2.amazonaws.com/image:tag":
rpc error: code = Unknown desc = Error response from daemon:
Get https://<acc id>.dkr.ecr.ap-outheast-2.amazonaws.com/v1/_ping:
dial tcp: lookup <acc id>.dkr.ecr.ap-outheast-2.amazonaws.com
on 10.71.0.2:53: no such host
My cluster is running in ap-southeast-1 and the IP 10.71.0.2:53 is the default DNS AWS set for the VPC
I'm trying to wok around this by populating this region's ECR as well. But it seems pretty wrong.
Any idea how to allow ECR to pull from another region?
I think you made simple typo in .dkr.ecr.ap-outheast-2.amazonaws.com/image:tag - that's why you receive no such host from DNS server, just try to replace ap-outheast-2 with ap-southeast-2.
Generally if you set ECR IAM right that should work as ECR is accessible/routable as public service in Internet with limitations based on IAM.
I've configured IAM roles for my different services on EC2 server.with the help of below link IAM Role Setup. According to AWS docs after setting IAM role we don't need any credentials to be stored in our application it takes the credential details from EC2 instance metadata.
However, I am getting error when I removed AWS key from my web.config."No RegionEndpoint or ServiceURL configured" After some time when I added region point entry to my Web.config entry then it started working.
<add key="AWSRegion" value="us-east-1" />
Please note in another application where I am accessing only AWS DynamoDB on the same server, it works without adding region point entry in config. Any kind of help is appreciated.Thank you in advance.
IAM role is only for fetching credentials from the metadata server, not for the region you are trying to connect to. So, you have to specify the region in the config file, not the credentials. Some services default to a region (like us-east-1) but many services expect the region to be configured or passed when creating a client object.