-
Notifications
You must be signed in to change notification settings - Fork 1.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Unable to create cluster using profile #57
Comments
I use There is now #56 to print profile in use, which should easy enough to implement. However, for now, if you want a non-disruptive way to determine the right profile is used, you can use |
@richardcase did you manage to create a cluster or not yet? |
@errordeveloper - thanks, i haven't had time to try but will try today and let you know. I'm sure its a case of PEBKAC. |
@richardcase see #56 (comment), and please let us know if that would be helpful. |
Yes that would be useful. I thought i'd check the AWS cli with the AWS_PROFILE environment variable set and it correctly uses the profile and i get the output from the correct role/account. But if i then use eksctl with the same environment variables set i now get errors:
I'm guessing that the AWS cli does something extra when running or some subtle differneces between the Python SDK and Go SDK. I will keep on looking, |
@errordeveloper - i managed to get a cluster created. I had to use the following first: aws sts assume-role .... And then use the output to set the AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, AWS_SESSION_TOKEN. After which i could create the cluster using If i use the aws cli i only need to set AWS_PROFILE (or --profile) and not the other environment variables. I guess the CLI is doing something extra (doing the assume role). Is this something eksctl could also do? |
I had to create a default profile (~/.aws/credentials) to get Having an option |
Having had a look, the aws cli uses botocore which looks at creating credentails in a number of ways. Have a look at create_credential_resolver in this. It should be fairly straight forward to add something similar to eksctl as there is the ChainProvider in the Go SDK which could then be used to chain the shared credentials, environment variables and assume role providers (looks like the first 2 are the defaults). If you want i'd be happy to have a look at this? |
That would be awesome. Quite a few people are running into this problem. |
@rade - i'll have a look at adding this tomorrow and will make a PR when its done. |
Changes to ensure that AWS profiles are supported. This involved making sure that the AWS config file is loaded (SharedConfigEnabled) and also making sure we have a TokenProvider set. Added an explicit --profile flag that can be used to explicity specify which AWS profile you would like to use. This will override any profile that you have specified via AWS_PROFILE. If endpoints are being overriden then the credentials from the initial session creation are shared with any subsequent session creation to ensure that the tokens are shared (otherwise you may get multiple MFA prompts). Issue eksctl-io#57
If using MFA this will ask for a code everytime its run and doesn't cache them between runs. |
Changed the description for the --profile flag based on review feedback to improve the grammar and readability. Issue eksctl-io#57
@richardcase, would it be possible to get more details on your initial setup (e.g. Earlier, I used
|
@marccarre - sure no problem. Let me know if you need anything in addition to what i've included below. eksctl version: {"gitTag":"0.1.0-alpha.6", "builtAt":"2018-06-08T11:31:30Z", "gitCommit":"1ed92fe1b1369d5c824cc96e5cab83887e2fc2b3"} env vars: no AWS_* environment variables set My local AWS config file:
And my credentials file:
And the step to reproduce:
This will give the following error:
If i use the aws cli in a similar way it correcly picks up the profile and asks me for my MFA code:
|
Thanks a lot @richardcase, I was able to reproduce your issue (same error message/symptoms) with both
Is there any additional configuration step you did in between, for this to just work? |
@marccarre - the error you are getting is because your user is not authorised to assume the role you specified. This will be an iam issue as this error is being returned from aws. You should get the same error if you tried to assume role using the aws cli. For example: aws sts assume-role --role-arn "arn:aws:iam::XXXXXXXXXXXX:role/xxxxxx" --role-session-name "RoleSessionTest" |
Indeed, I had misconfigured that role. Once sorted out, I was able to get things to just work: $ AWS_PROFILE=dev ./eksctl get clusters --verbose=4
Assume Role MFA token code: XXXXXX
2018-XX-XXTXX:XX:XX [▶] role ARN for the current session is "arn:aws:sts::XXXXXXXXXXXX:assumed-role/XXXXXXXXXXX/XXXXXXXXXXXXXXXXXXX"
2018-XX-XXTXX:XX:XX [▶] clusters = {
Clusters: ["foo","bar"]
}
2018-XX-XXTXX:XX:XX [▶] cluster = {
Cluster: {
Arn: "arn:aws:eks:us-west-2:XXXXXXXXXXXX:cluster/foo",
CertificateAuthority: {
Data: "XXX"
},
[...]
Status: "ACTIVE",
[...]
}
}
[...] |
Fixed by #59. And change released in 0.1.0-alpha.7. |
Hey guys, I was getting the same issue, the funny thing is, I had to just adjust computer date and time and it was back on the road. So please try this out and let me know if it helps. |
export AWS_DEFAULT_PROFILE=... |
Please crate iam role for eks may be it will help you in resolving
this issue. And after creating iam role once again do aws configure and
mention all the details.
Regards,
Chandrakala
…On Thu, Jul 9, 2020, 9:26 AM Harshwardhan Kakra ***@***.***> wrote:
Hi all,
I am trying to create Kubernetes cluster using eskctl, I am facing problem
as shown below while creating cluster
[image: Screenshot (20)]
<https://user-images.githubusercontent.com/50578841/78328898-eb868b80-759d-11ea-80eb-00c93db9a1dd.png>
could anybody help me in solving this
i'm also facing this same error
—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub
<#57 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AMB4LGOZKDCQVP5DHP3H5ADR2U5WFANCNFSM4FEE5ZNA>
.
|
Fix typo in README
Nowadays it's https://github.com/search?q=repo%3Aeksctl-io%2Feksctl+AWS_PROFILE&type=code |
I'm trying to create a cluster with using a specific profile. I've set the AWS_PROFILE environment variable (as per this) but its still creating the cluster using the default cli profile.
We use specific profiles to distinguish between our environments (dev, non-prod, prod) and we're also using MFA.
Looking at #56 it would appear that using profiles can work?
The text was updated successfully, but these errors were encountered: