I have created a Amazon Data Lifecycle Manager policy but after a day it is showing this error:
There are no attached EBS-backed volumes on the instance id
However, if I create a snapshot on my own without the Data Lifecycle Manager, I was able to create a snapshot.
The instance id is correct though. Anyone can help?
Related
I am trying to create AMI with (shared AMI from another Account). since i do not have access to snapshot i cannot create or rename AMI so i opted to use Packer to Bake New AMI with needed custom Name.
Since Shared AMI is encrypted so the newly created AMI its created with default AWS Key due to this i cannot share AMI with other accounts.
(error msg: ==> amazon-ebs.instance: Error modify AMI attributes: InvalidParameter: Snapshots encrypted with the AWS Managed CMK can't be shared. Specify another snapshot)
need some advice on how to address this issue.
P.S i need to create new AMI with custom name from Shared AMI so i can share same AMI across AWS Accounts.
i am open for hearing alternate approach also.
I'm trying to create an AWS spot fleet through CloudFormation, but I'm getting this permission error. I'm creating this stack through a root account, so I don't see a possible reason for an IAM error via CloudFormation.
I'm creating this stack from the CLI with root account credentials.
Has anybody encountered this before?
I would check the instructions for the Amazon EC2 Spot Fleet Role:
If you create a managed compute environment that uses Amazon EC2 Spot
Fleet Instances, you must create a role that grants the Spot Fleet
permission to bid on, launch, tag, and terminate instances on your
behalf. Specify the role in your Spot Fleet request. You must also
have the AWSServiceRoleForEC2Spot and AWSServiceRoleForEC2SpotFleet
service-linked roles for Amazon EC2 Spot and Spot Fleet.
Also, to quote the documentation on Spot Fleet Pre-requisites:
If you use the Amazon EC2 console to create a Spot Fleet, it creates a
role named aws-ec2-spot-fleet-tagging-role that grants the Spot Fleet
permission to request, launch, terminate, and tag instances on your
behalf. This role is selected when you create your Spot Fleet request.
If you use the AWS CLI or an API instead, you must ensure that this
role exists.
Problem:
I have an EMR cluster (along with a number of other resources) defined in a cloudformation template. I use the AWS rest api to provision my stack. It works, I can provision the stack successfully.
Then, I made one change: I specified a custom AMI for my EMR cluster. And now the EMR provisioning fails when I provision my stack.
And now my stack creation fails, due to EMR provisioning failing. The only information I can find is an error on the console: null: Error provisioning instances.. Digging into each instance, I see that the master node failed with error Status: Terminated. Last state change reason:Time out occurred during bootstrap
I have s3 logging configured for my EMR cluster, but there are no logs in the s3 bucket.
Details:
I updated my cloudformation script like so:
my_stack.cfn.yaml:
rMyEmrCluster:
Type: AWS::EMR::Cluster
...
Properties:
...
CustomAmiId: "ami-xxxxxx" # <-- I added this
Custom AMI details:
I am adding a custom AMI because I need to encrypt the root EBS volume on all of my nodes. (This is required per documentation)
The steps I took to create my custom AMI:
I launched the base AMI that is used by AWS for EMR nodes: emr 5.7.0-ami-roller-27 hvm ebs (ID: ami-8a5cb8f3)
I created an image from my running instance
I created a copy of this image, with EBS root volume encryption enabled. I use the default encryption key. (I must create my own base image from a running instance, because you are not allowed to create an encrypted copy from an AMI you don't own)
I wonder if this might be a permissions issue, or perhaps my AMI is misconfigured in some way. But it would be prudent for me to find some logs first, to figure out exactly what is going wrong with node provisioning.
I feel stupid. I accidentally used a completely un-related AMI (a redhat 7 image) as the base image, instead of the AMI that EMR uses for it's nodes by default: emr 5.7.0-ami-roller-27 hvm ebs (ami-8a5cb8f3)
I'll leave this question and answer up in case someone else makes the same mistake.
Make sure you create your custom AMI from the correct base AMI: emr 5.7.0-ami-roller-27 hvm ebs (ami-8a5cb8f3)
You mention that you created your custom AMI based on an EMR AMI. However, according to the documentation you linked, you should actually base your AMI on "the most recent EBS-backed Amazon Linux AMI". Your custom AMI does not need to be based on an EMR AMI, and indeed I suppose that doing so could cause some problems (though I have not tried it myself).
I'm using CloudWatch dashboard to monitor EC2 instances. Name tag for EC2 instance is shown besides the instance id in the charts when I login as root user
However when I login as a user with only list and read permissions for CloudWatch and EC2 then charts's legends are appeared without EC2 instance name tag. It's very frustrating to switch back and forth between EC2 management console and CloudWatch dashboard mapping instance id and EC name tag
I suspect that I need to add more permissions to the user, but cannot figure out what permissions are needed exactly
ec2:describeInstances
ec2:describeTags
ec2:describeVolumes
See: Permissions Required to Use the CloudWatch Console
Or just attach AWS Managed Policy: CloudWatchReadOnlyAccess – Grants read-only access to CloudWatch.
In order to run AWS monitoring scripts (http://docs.aws.amazon.com/AmazonCloudWatch/latest/DeveloperGuide/mon-scripts-perl.html) on one of my ec2 existing instance, I need a IAM role associated to the instance.
I found a lot of documentation to launch an instance with a role... But nothing to link a role to an existing instance.
Is it possible?
If not, what can I do? Launch a new instance with a role and transfert the volumes to it?
If not, what can I do? Launch a new instance with a role and transfert
the volumes to it?
This is one option but it might take you a long time if you have a lot instances.
The other option is to simply use IAM by creating a new user then add the Amazon CloudWatch PutMetricData operation permission to that user. Then, create AWS credentials for that user and finally use them as per the docs that you specified:
Optional: If you aren't using an IAM role, update the
awscreds.template file that you downloaded earlier. The content of
this file should use the following format:
AWSAccessKeyId=YourAccessKeyID
AWSSecretKey=YourSecretAccessKey
Also set the environment variable AWS_CREDENTIAL_FILE to point that awscreds.template in the environment of the user that is running the mon-scripts-perl
There is a new method available associate-iam-instance-profile to Associates an IAM instance profile with a running or stopped instance.
Example:
aws ec2 associate-iam-instance-profile --instance-id YourInstanceId --iam-instance-profile Name=YourNewRole-Instance-Profile
Doco
AWS doesn't allow you to modify the instance role after launching the instance.
You can either:
1) Launch a new instance with the role needed by taking the AMI of the already running instance and reassigning the EIP.
or
2) Create a headless user, generate access key and secret key for the user with specific permssion, and use those keys.
Earlier there was no solution. You had to create and AMI and launch the server again with the appropriate role.
On Feb 9, AWS launched these new CLI options which can help you solve your problem.
See this link: https://aws.amazon.com/blogs/security/new-attach-an-aws-iam-role-to-an-existing-amazon-ec2-instance-by-using-the-aws-cli/