I'm setting up a Kubernetes cluster on AWS and as part of the configuration for say the API Server, I provide the --cloud-provider=aws setting.
Once it starts up, however, I see in the logs that it complains about not having AWS credentials:
NoCredentialProviders: no valid providers in chain
After some searching, it seems that this issue was resolved for most people by using the "kube-up" script. However, for those who are not using the script to set up their cluster, how do we provide Kubernetes with AWS credentials?
It sounds like you don't have the appropriate IAM instance profile set on your master VM. The kube-up script for AWS creates a role and associated policy that is attached to the master VM when it is created. Having the IAM policy attached should give you the credentials necessary to make API calls into AWS.
Related
I'm trying to test AWS CodeDeploy on an On-Premises instances. I was successfully able to register, install and configure CodeDeploy on my instance. When I tried adding it to the Deployment group under on-premises instances it never showed up.
I have tagged the instance.
There's this note that I found on Use the register-on-premises-instance Command (IAM Session ARN) to Register an On-Premises Instance - AWS CodeDeploy which might seem relevant to my problem. But I'm not able to figure it out yet.
If you reuse an AWS CodeDeploy service role as part of creating a deployment group that targets on-premises instances, you must include Tag:get* to the Action portion of the service role's policy statement.
Edit
I tried creating a service role with action Tag:get* but with no luck, since it kept on complaining that
AssumeRole policy may only specify STS AssumeRole actions.
Edit-2
So, the link above was asking to attach a policy under the IAM menu to the service role with tag:Get*. I tried doing that, still no luck.
Apparently, the On-Premises instance never shows up in the GUI for the Codedeploy. But if you try to deploy the application on a separate test group (or the same) with the On-premises instance tags same as the one you have for your instance. It will be deployed successfully.
The only thing that needs to be taken care of is adding a new service policy given in the note below:
If you reuse an AWS CodeDeploy service role as part of creating a deployment group that targets on-premises instances, you must include Tag:get* to the Action portion of the service role's policy statement.
I am trying to setup spinnaker locally to manage AWS EC2 instances. The current documentaion depicts the steps which need to have spinnaker instance to be running on EC2. They are creating one role and attaching it to spinnaker instance. As I am running spinnaker in my local environment, I am finding a way which will allow my local spinnaker instance to access the AWS resources. Will it be possible to have one such policy/role ? May be using AWS-STS ( Security Toke Service ), but i dont know how to use that creds with spinnaker instance
You can do this directly by creating an IAM user with required policies to access AWS Resources and use the Programmatic access Credentials in your local machine to use AWS CLI, API or SDKs.
For an existing IAM User, the step are as follows.
IAM User -> Security Credentials -> Create Access Keys
Note: If you cannot trust your local environment, then you can use AWS STS service (For this you need to implement a separate service, where you can pass user credentials and request for a temporal token from AWS STS)
You can create the IAM role for your local machine to assume, like
this example, or stricter,
spinnaker will handle the STS assume role given its configured properly
as for the temporary credential, if what you mean is MFA compatibility, I am myself still figuring out the way to do it. I think one workaround is to create a wrapper script that call sts:assumeRole, ask the user to provide the MFA token, then set AWS_ACCESS_KEY, AWS_SECRET_KEY, and AWS_SESSION_TOKEN which will be honored by clouddriver, but then deployment to multiple AWS accounts will be a problem
I have a scaling group of several EC2 instances.
I have API keys which I would like to distribute to the instances using round-robin.
How can I code the instances to get the credentials once they go live?
Is there an AWS service for that?
It is not AWS credentials which could be solved by defining IAM Roles.
Thanks
Use "user data" option when you start your EC2 instance, You can run the bash script.
I recommend the following step.
1-put your cred or other shared information to S3 or dynamoDB.
2-write script to read and setting this data when your EC2 was starting.
The closest thing AWS has to this is called IAM Roles. A role includes a set of IAM permissions (like an IAM user). When you start a VM, you can set the role of the VM. The VM can then call the AWS API and get temporary credentials that give it access to the services that are defined in the IAM role.
See here for more details:http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-roles-for-amazon-ec2.html
This does not exactly meet your requirement for round-robin credentials distribution. But it might be a better option. IAM roles are as secure a method of distributing credentials to EC2 instances as you can get.
AWS now provides two services that could be used for that purpose:
The Secrets Manager would seem to be the most fitting, but does cost money from the start.
The Parameter Store is also an option and is free for up to 10k parameters.
I'm logging into a role through SSO and I'm trying to create a new Elastic Beanstalk environment (newest tomcat if it matters) and I am getting the following error which is preventing me from even getting the environment started building:
(Namespace: 'aws:elasticbeanstalk:environment', OptionName: 'ServiceRole'): Invalid service role
This is happening even when I am trying to clone an existing environment. I've tried to auto generate a service role and to manually create one. Both are giving the error. This error does not happen when I am logging into a user with the same permissions.
When you clone an environment using the Elastic Beanstalk console, you have the option to choose a new platform and a service role. Service role is a new concept in beanstalk documented here. Service is not required if you are using basic health monitoring but it is required if you choose to use enhanced health monitoring.
When creating an environment you can choose to pass an IamInstanceProfile (typically named aws-elasticbeanstalk-ec2-role) and a service role (typically named aws-elasticbeanstalk-service-role). These two roles are required when using Enhanced Application Health Monitoring.
Please note that these two roles require a completely a different set of permissions and you should use different roles for each of them. You can find the list of permissions required for Service Role and Instance profile documented here.
When creating/cloning/modifying environments using AWS console you will be shown an option to choose a service role. If you have never used a Service role before, you will be presented with an option to "Create a new role". The console allows you to create the Service role required by beanstalk using a single button click. You can view the permissions before creating the role.
After the first create, the console will present you with a dropdown with the role you created previously (typically named aws-elasticbeanstalk-service-role) and you can reuse this service role.
From the documentation: "A service role is the IAM role that Elastic Beanstalk assumes when calling other services on your behalf. Elastic Beanstalk uses the service role that you specify when creating an Elastic Beanstalk environment when it calls Amazon Elastic Compute Cloud (Amazon EC2), Elastic Load Balancing, and Auto Scaling APIs to gather information about the health of its AWS resources."
When creating/using a role you need to make sure the IAM user has pass role permission for the role you created. In case you are not using the root account make sure you have the correct policies for the IAM user.
Note the iam:PassRole permission allows your IAM user to pass the role to beanstalk service.
Update
There was an issue with Single Sign On that has now been resolved. Please update here or in the AWS forum thread below if you are still seeing issues.
AWS forum thread: https://forums.aws.amazon.com/thread.jspa?threadID=171369
I got the same error yesterday and a different one today using the same stack "Unable to assign role. Please verify that you have permission to pass this role: XXXXXX."
And I solved assigning this policy "AWSElasticBeanstalkFullAccess" to my user
Here you could read more:
http://docs.aws.amazon.com/elasticbeanstalk/latest/dg/concepts-roles.html#concepts-roles-user
There seems to be a thread on aws support forum here: https://forums.aws.amazon.com/thread.jspa?messageID=670359
I am having the same issue when trying to access a beanstalk environment via crossaccount iam policy.
I think that logging into console with an IAM account that belongs to that particular AWS account with resolve the issue. Im certain AWS folks are working on it
I have everything setup and working with rolling deploys and being able to do git aws.push but how do I add a authorized key to EB server so my CI server can deploy as well?
Since you are using Shippable, I found this guide on Continuous Delivery using Shippable and Amazon Elastic Beanstalk that shows how to set it up on their end. Specifically, step 3 is what you are looking for.
It doesn't look like you need an authorized key, instead, you just need to give an AWS ID and AWS Secret Key that will allow Shippable to make API calls on your behalf. To do this, I recommend creating an IAM role that is specifically for Shippable. That way you can revoke it if you ever need to and only give it the permissions that it needs.