Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Bug]: prepare-environment fundamentals/storage/efs fails with User is not authorized #1106

Open
justRishi opened this issue Sep 17, 2024 · 5 comments
Open

[Bug]: prepare-environment fundamentals/storage/efs fails with User is not authorized #1106

justRishi opened this issue Sep 17, 2024 · 5 comments
Labels
bug Something isn't working

Comments

@justRishi
Copy link

Installation method

Own AWS account

What happened?

fundamentals eks-workshop Amazon EFS prepare environment fails, previous sections with "prepare environment" did not fail.
lab : https://www.eksworkshop.com/docs/fundamentals/storage/efs/
command: prepare-environment fundamentals/storage/efs
resulted in
error:

ec2-user:~/environment:$ prepare-environment fundamentals/storage/efs
Refreshing copy of workshop repository from GitHub...

Resetting the environment...
Tip: Read the rest of the lab introduction while you wait!
Waiting for application to become ready...
Cleaning up previous lab infrastructure...
Creating infrastructure for next lab...
╷
│ Error: creating EFS Mount Target (fs-07848258f41ad0ca1): operation error EFS: CreateMountTarget, https response error StatusCode: 403, RequestID: 937f7fea-d656-40e1-b2c6-266d4d4cd7c4, api error AccessDeniedException: User is not authorized to perform that action on the specified resource
│ 
│   with module.lab.module.preprovision[0].aws_efs_mount_target.efsmtpvsubnet[0],
│   on lab/preprovision/main.tf line 65, in resource "aws_efs_mount_target" "efsmtpvsubnet":
│   65: resource "aws_efs_mount_target" "efsmtpvsubnet" {
│ 
╵
╷
│ Error: creating EFS Mount Target (fs-07848258f41ad0ca1): operation error EFS: CreateMountTarget, https response error StatusCode: 403, RequestID: c2e67f38-e9ed-4f97-8c4f-9431aacbc6fe, api error AccessDeniedException: User is not authorized to perform that action on the specified resource
│ 
│   with module.lab.module.preprovision[0].aws_efs_mount_target.efsmtpvsubnet[1],
│   on lab/preprovision/main.tf line 65, in resource "aws_efs_mount_target" "efsmtpvsubnet":
│   65: resource "aws_efs_mount_target" "efsmtpvsubnet" {
│ 
╵
╷
│ Error: creating EFS Mount Target (fs-07848258f41ad0ca1): operation error EFS: CreateMountTarget, https response error StatusCode: 403, RequestID: d5a077cf-61e8-46d4-aa21-fd18894b11df, api error AccessDeniedException: User is not authorized to perform that action on the specified resource
│ 
│   with module.lab.module.preprovision[0].aws_efs_mount_target.efsmtpvsubnet[2],
│   on lab/preprovision/main.tf line 65, in resource "aws_efs_mount_target" "efsmtpvsubnet":
│   65: resource "aws_efs_mount_target" "efsmtpvsubnet" {
│ 
╵
An error occurred, please contact your workshop proctor or raise an issue at https://github.com/aws-samples/eks-workshop-v2/issues
The full log can be found here: /eks-workshop/logs/action-1726570670.log

What did you expect to happen?

efs environment for lab to be created successfully

How can we reproduce it?

  1. go to https://www.eksworkshop.com/docs/fundamentals/storage/efs/ (after creating the environment as explained in: https://www.eksworkshop.com/docs/introduction/setup/your-account/using-eksctl).
  2. execute this in the online lab environment VS-code prepare-environment fundamentals/storage/efs

Anything else we need to know?

The previous EFS-lab sections like Amazon EBS prepare-environment went fine , as well Ingress, Load Balancers etc

EKS version

1.30
@justRishi justRishi added the bug Something isn't working label Sep 17, 2024
@casey-holgado
Copy link

I am also experiencing this same issue as @justRishi described above.

@niallthomson
Copy link
Contributor

Thanks for the report, we'll need to look in to this. The IAM permissions look like they should allow this and our tests are succeeding so it will take some manual investigation.

@flphvlck
Copy link

flphvlck commented Dec 3, 2024

same issue for me

@ingcloud-fr
Copy link

ingcloud-fr commented Dec 4, 2024
edited
Loading

Same issue for me. Tested yesterday on eu-west-1 (failed) but works today on us-west-2

@rdripps
Copy link

rdripps commented Dec 7, 2024
edited
Loading

I spent some time troubleshooting this and was able to resolve this by adding the following.

In the
eks-workshop-ide-ec2 policy
add
ec2:CreateNetworkInterface
ec2:DeleteNetworkInterface

Based on the AWS CLI documentation the following permissions are required.

This operation requires permissions for the following action on the file system:

elasticfilesystem:CreateMountTarget
This operation also requires permissions for the following Amazon EC2 actions:

ec2:DescribeSubnets
ec2:DescribeNetworkInterfaces
ec2:CreateNetworkInterface

Hope this helps..
I would create PR but not sure how AWS manages public input.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
EKS Workshop Roadmap
Status: No status
Milestone
No milestone
Development

No branches or pull requests
6 participants
@niallthomson @rdripps @flphvlck @justRishi @ingcloud-fr @casey-holgado