I am trying to build an EMR cluster through terraform. But I am getting following error on applying the code. IAM_EMR_for_EC2 is the instance profile role I created for EC2 in the cluster to assume.
1 error(s) occurred:
aws_emr_cluster.tf-test-cluster: 1 error(s) occurred:
aws_emr_cluster.tf-test-cluster: ValidationException: Instance profile 'arn:aws:iam:::role/IAM_EMR_for_EC2' is not
well-formed. Expected a resource of type INSTANCE_PROFILE.
status code: 400, request id: 6bd4461c-637f-11e8-8605-c930816c10b8
Could someone help me as I am not able to understand this error nor I could it find any details on google.
You're applying a role rather than an instance profile, they are actually different. The ARN needs to be in the format of arn:aws:iam::336924118301:instance-profile/ExampleInstanceProfile.
A role needs to be attached to an instance profile resource.
You should write instance_profile = "${aws_iam_instance_profile.emr_profile.arn}".
And also create emr_profile resource:
resource "aws_iam_instance_profile" "emr_profile" {
name = "emr_profile"
role = "${aws_iam_role.EMR_EC2_DefaultRole.name}"
}
Related
I am trying to create aws eks cluster with terraform. I want to use an existing iam role. I won't be creating a new role. I tried this.
module 'eks' {
...
iam_role_arn = "arn:aws:iam::11111111:role/cluster-role"
...
}
But I get 403 permission denied. How can I this? Thanks.
Edit: added error.
failed creating IAM Role (green-eks-node-group): AccessDenied: User: arn:aws:iam::*******:user/****** is not authorized to perform: iam:TagRole on resource: arn:aws:iam::*******:role/green-eks-node
First for good measure: Please do not post pictures here of either code or error messages. Just copy paste the stuff and format it.
That said: I think the error tells you exactly what is wrong (or at least what the first error is, because in my experience it takes a few iterations of this to get your IAM permissions straight).
The role that you use you execute terraform does not have the permission:
iam:TagRole
on the resource:
arn:aws:iam:xxxxxxxxxxx:role/eks-cluster
So you will need to add it to it's policy.
I've successfully created an EKS cluster and some other resources via a terraform script. However, I am unable to successfully complete the terraform destroy. I get the following error upon deletion of EKS cluster:
Error: error deleting EKS Cluster (cluster-name): AccessDeniedException:
status code: 403, request id: request-uuid
Any ideas?
The role I'm using needs to allow the eks:DeleteCluster operation in its policy.
I was installing openshift 4.4.9 on my AWS Cluster using Installer Provisioned Infrastructure (IPI), I wasn't successful to spin up my openshift cluster on AWS. Because of below error.
INFO Creating infrastructure resources...
ERROR
ERROR Error: Error creating IAM instance profile ocp4-925gm-bootstrap-
profile: EntityAlreadyExists:
Instance Profile ocp4-925gm-bootstrap-profile already exists.
ERROR status code: 409, request id: b6918967-774c-44c1-8b92-02ac7388f87c
ERROR
ERROR on ../../../tmp/openshift-install-584826335/bootstrap/main.tf line 46, in resource
"aws_iam_instance_profile" "bootstrap":
ERROR 46: resource "aws_iam_instance_profile" "bootstrap" {
ERROR Error: Error creating IAM instance profile ocp4-925gm-worker-profile: EntityAlreadyExists:
Instance Profile ocp4-925gm-worker-profile already exists.
ERROR status code: 409, request id: 3b5d2b9c-28fe-4c95-b622-7a80af45dfb6
ERROR
ERROR on ../../../tmp/openshift-install-584826335/iam/main.tf line 5, in resource
"aws_iam_instance_profile" "worker":
ERROR 5: resource "aws_iam_instance_profile" "worker" {
ERROR Error: Error creating IAM instance profile ocp4-925gm-master-profile: EntityAlreadyExists:
Instance Profile ocp4-925gm-master-profile already exists.
ERROR status code: 409, request id: 072d86e1-3508-4d59-a6ab-2ed647251056
ERROR
ERROR on ../../../tmp/openshift-install-584826335/master/main.tf line 9, in
resource
"aws_iam_instance_profile" "master":
ERROR 9: resource "aws_iam_instance_profile" "master" {
FATAL failed to fetch Cluster: failed to generate asset "Cluster": failed to
create cluster: failed
to apply using Terraform
Solution to Fix
Manually deletion is recommended in this case.
List your roles and then apply delete to the instance profiles.
$ aws iam list-roles
$ aws --region=<region-name> iam delete-instance-profile --instance-profile-name <profile_name>
Example Given Below
$ aws --region=us-east-1 iam delete-instance-profile --instance-profile-name ocp4-925gm-master-profile
$ aws --region=us-east-1 iam delete-instance-profile --instance-profile-name ocp4-925gm-worker-profile
Reference Link
Clarification: Before deleting iam profile on aws make sure that you do not have any aws ec2 instances running with the instance profile you are about to delete. Deleting a role or instance profile that's associated with a running instance will break any applications running on the instance. for documentation use this link.
aws iam delete-instance-profile --instance-profile-name <profile-name>
I've been trying to use Codestar on AWS Ruby on Rails using Elastic Beanstalk. I tried applying and assigning auto scaling full access policies to no avail. Can anybody help me navigate around these errors? Also using root account. Tried assigning this under roles but no success.
Error messages:
Creating Auto Scaling group failed Reason: API: autoscaling:CreateAutoScalingGroup The default Service-Linked Role for Auto Scaling could not be created. com.amazonaws.services.identitymanagement.model.AmazonIdentityManagementException:
User: arn:aws:sts::**********:assumed-role/CodeStarWorker-phcnetworks-net-CloudFormation/AWSCloudFormation is not authorized to perform: iam:CreateServiceLinkedRole on resource: arn:aws:iam::**************:role/aws-service-role/autoscaling.amazonaws.com/AWSServiceRoleForAutoScaling
(Service: AmazonIdentityManagement; Status Code: 403; Error Code: AccessDenied; Request ID: *******-******-*******)
Stack named 'awseb-e-*********-stack' aborted operation. Current state: 'CREATE_FAILED' Reason: The following resource(s) failed to create: [AWSEBAutoScalingGroup].
The reported error says that the role "CodeStarWorker-phcnetworks-net-CloudFormation" is not authorized to perform operation iam:CreateServiceLinkedRole on the set of resources defined in IAM policy.So action "CreateServiceLinkedRole" needs to be added to the role for your autoscaling policies to succeed.
AmazonIdentityManagementClient identityManagementClient = new AmazonIdentityManagementClient();
System.out.println("This is the role");
GetRoleResult roleResult = identityManagementClient.getRole(new GetRoleRequest().withRoleName("myRole"));
System.out.println(roleResult.getRole().toString());
System.out.println("This is the Policy");
GetRolePolicyResult rolePolicyResult = identityManagementClient.getRolePolicy(new GetRolePolicyRequest()
.withRoleName("myRole").withPolicyName("AmazonS3FullAccess"));
System.out.println(rolePolicyResult.getPolicyDocument());
System.out.println(rolePolicyResult.getPolicyName());
I have attached IAM role to my instance - myRole. I have attached it AmazonS3FullAccess policy to myRole. The above code I am using to fetch the policies associated with myRole using SDK but I am facing NoSuchEntity Exception when I try to fetch Policy. I am able to get Role name and my output is myRole but I am facing error when I try to fetch Policy details.
I don't know why.
What I am doing wrong here?
I only managed to get the policy document in an alternative way (AWS Java SDK v.1x) - by using getPolicyVersion method of the AmazonIdentityManagementClient.
The GetPolicyVersionRequest for this is for the policyArn (which you can get from the policy details of the listAttachedRolePolicies result for your role name) and the versionId is from calling the getDefaultVersionId() on the policy returned by the AmazonIdentityManagementClient 's getPolicy for your policyArn.