I am unable to delete Private Hosted Zone from console and CLI.
Please check below screen shot
Its throwing following error
The resource hostedzone/Z346QOK8DECBDU can only be managed through servicediscovery.amazonaws.com (arn:aws:servicediscovery:us-east-1:757712384777:namespace/ns-oekfhwgvesmkdb4i)
Private zone has following records
I have tried deleting using AWS CLI commands as well
aws servicediscovery list-services
aws servicediscovery delete-service --id=ID-FROM-LIST
aws servicediscovery delete-namespace --id=NS-LIST
This did not work. I got following error
An error occurred (NamespaceNotFound) when calling the DeleteNamespace operation: NS-LIST
An error occurred (ServiceNotFound) when calling the DeleteService operation: ID-FROM-LIST
Please let me know if there is any other way.
Try to delete the AWS ECS service, which is using this hosted zone from AWS console, and then if you have any service discovery resources (like namespace), then delete those using below commands:
Use below command to list services in specific region:
aws servicediscovery list-services --region <region_name>
If no services associated, then try to find the namespaces:
aws servicediscovery list-namespaces --region <region_name>
Then you can delete the namespace as below:
aws servicediscovery delete-namespace --id <service_discovery_namespace_id> --region <region_name>
From output, It seems you don't have any services listed, but still try with --region option.
Your namespace_id seems to be incorrectly passed. Its arn is already shown in first error message.
To delete the private hosted zone:
To delete a private hosted zone that Amazon ECS created when you created a service using service discovery, delete the Amazon ECS services that are using the namespace, and delete the namespace
Ref:
https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/hosted-zone-private-deleting.html
https://docs.aws.amazon.com/AmazonECS/latest/developerguide/delete-service.html
It is very simple if you have access to console
Search for “AWS cloud map” in aws console – > you can see than namespace – go inside namespace -> delete services -> go back and delete namespace -> check in your route53 console, hosted zone wont be there
Related
I'm trying to connect a spring boot application from AWS EKS to AWS Opensearch both of which reside in a VPC. Though the connection is successful im unable to write any data to the index.
All the AWS resources - EKS and Opensearch are configured using terraform. I have mentioned the elasticsearch subnet CIDR in the egress which is attached to the application. Also, the application correctly assumes the EKS service account and the pod role - which I mentioned in the services stanza for Elasticsearch. In the policy which is attached to the pod role, I see all the permissions mentioned - ESHttpPost, ESHttpget, ESHttpPut, etc.
This is the error I get,
{"error":{"root_cause": [{"type":"security_exception", "reason":"no
permissions for [indices:data/write/index] and User
[name=arn:aws:iam::ACCOUNT_NO:role/helloworld-demo-eks-PodRle-
hellodemo-role-1,backend_roles=
[arn:aws:iam::ACCOUNT_NO:role/helloworld-demo-eks-PodRle-hellodemo
role-1], requested
Tenant=null]"}],"type":"security_exception", "reason":"no
permissions for [indices:data/write/index] and User
[name=arn:aws:iam::ACCOUNT_NO:role/helloworld demo-eks-PodRle-
hellodemo-role-1,
backend_roles=[arn:aws:iam::ACCOUNT_NO:role/helloworld-demo-eks-
PodRle-hellodemo role-1], requested Tenant=null]"},"status":403}
Is there anything that I'm missing out on while configuring?
This error can be resolved by assigning the pod role to additional_roles key in the Elasticsearch terraform. This internally is taken care by AWS STS when it receives a request from EKS.
I accidentally deleted all the default subnets in aws,I want to recreate default subnets。I make CLI command: "aws ec2 create-default-subnet --availability-zone us-west-2a"
,but always get the error message
"An error occurred (DefaultSubnetAlreadyExistsInAvailabilityZone) when calling the CreateDefaultSubnet operation: 'subnet-015c449cab525d947' is already the default subnet in us-west-2d."
how to solve this problem?
There is only one default subnet can exist in each availability zone, seems you already have yours on us-west-2a, login to you AWS account search for VPC > Subnets and delete what you have there, then you can re-create it with this command:
ws ec2 create-default-subnet --availability-zone us-west-2a
check AWS document fore more info:
https://aws.amazon.com/premiumsupport/knowledge-center/recreate-default-vpc/
I've created a node.js application which connects to DynamoDB. Everything is working fine locally Now I'm trying to setup on AWS servers.
First I've created DynamoDB tables from AWS DynamoDB console. It is working fine.
I've created a new role from IAM management console > Roles to access DynamoDB. And attached that role to EC2 instance.
But when I fire any aws dynamodb cli command, it gave me error to mention the region.
So I went to IAM management console > Users, and created an access key to my admin type user.
Now I'm login to EC2 CLI using ec2-user and aws configure with previously generated access key.
AWS Access Key ID [None]: ACCESS KEY
AWS Secret Access Key [None]: SECRET
Default region name [None]: us-east-1
Default output format [None]: json
But when I use following command aws dynamodb list-tables. It gives no output, no error.
As I commented, The main issue was outbound rules for attached security group. Here are the necessary things to do
Set a security group outbound rule to HTTPS
Setup Credentials
Create Access Key from IAM management console > Users.
SSH to EC2 instance.
Configure the credentials to EC2 instance using aws configure command or directly modify ~/.aws/credentials file.
Attach Role
Create Role from IAM management console > Roles. Select the role which is necessary to perform operation on AWS service. Eg AmazonDynamoDBFullAccess
Open VPC console and select the EC2 instance.
Attach the role from Actions menu
It is good, though optional, to create VPC endpoint. If you face UnauthorizedOperation error while creating endpoint, assign AmazonEC2FullAccess permission to the user from IAM console. Remove it later if you don't need it.
To use the AWS service from your application, find the relevant endpoint from this list.
It sounds like you are having problems connecting to DynamoDB because of the way you have configured your VPC.
There are some options but if you would prefer to keep your VPC isolated from the internet then you could enable VPC endpoints for DynamoDB. That way you can access DynamoDB from within your VPC without those connections going over the public internet.
There is a step-by-step guide for how to do that here: https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/vpc-endpoints-dynamodb.html
Essentially, it involves the following steps:
you have to get the VPC id for the VPC where your EC2 instance is located
create a VPC endpoint for DynamoDB, specifying the VPC id and the regional dynamodb service name:
aws ec2 create-vpc-endpoint --service-name com.amazonaws.<region>.dynamodb --vpc-id <yourvpcid>
I have a service-linked role in AWS that I need to delete. When I try to delete it in IAM it fails and has a popup with the ARNs of two resources that use this role. This brain-dead blog post shows me the steps to recreate the problem I'm having and tells me that I need to delete the resources that use the role I'm trying to delete. Duh.
I've tried searching the given ARNs in the IAM search window, but it doesn't find them.
Now that I have the ARNs, how can I delete them so I can delete this role?
There is no API that provide delete of any resource by any ARN. You need to use specific services for delete resources.
If you have ARNs - according to documentation - it will be 3rd part (by ":" character):
arn:partition:SERVICE:region:account-id... // SERVICE where your resource is present
For example - if you have that ARN:
arn:aws:ec2:us-east-1:1234567890:instance/i-12345678901234567
That indicates it's EC2 instance. You can delete it via AWS Console (UI) or by example using AWS CLI:
aws --region us-east-1 ec2 terminate-instances --instance-ids i-12345678901234567
EDIT
According to link you provided (brain-dead blog post) there are ARNs of Redshift clusters, so you can try delete them via AWS CLI using this command:
aws --region <REGION> redshift delete-cluster --cluster-identifier <CLUSTER ID>
Where REGION and CLUSTER ID you can obtain from ARNs.
If you want to delete them from UI (AWS Console) - don't forget change to proper region.
So I have a springboot application that I 'd like to deploy to AWS using boxfuse.
Deployement onto the AWS Services yields the following error:
ERROR: Your AWS account does not have a default VPC in the eu-central-1 region
=> change the AWS region in the Boxfuse console
Going to the boxfuse Console:
Your AWS account has no default VPC in eu-central-1. Please ask AWS support to recreate it or select a different region
Where exactly can I fix this in AWS? How can I change the region for boxfuse / fix this by maybe creating a new VPC ?
Well, apparently the only way to do this is through the AWS Customer Support. Just wanted to mention in Case someone had the same issue.