When trying to create an ECS instance via cli tools I get the error in subject and I can't find what it means. For example:
$ ./aliyun ecs RunInstances --Amount 1 --ImageId m-0xidtg6bbw1s8voux52d --InstanceType ecs.n1.medium --InstanceName Composer-Test-VM-1 --SecurityGroupId sg-0xi4w9isg0p1ytj1qbhf
ERROR: SDK.ServerError
ErrorCode: InvalidResourceType.NotSupported
Recommend:
RequestId: 1B3E65BD-D181-4552-9A58-599FC51924A7
Message: user order resource type [classic] not exists in [random]
I have credentials configured in ~/.aliyun/config.json.
The default region in config is us-east-1, the ImageId and SecurityGroupId are both in the same region.
I tried a few other instance types and either I get the same error message or [classic] is replaced by the prefix of the instance type. This leads me to think I can't create virtual machines from some of these instance types in my region but I have no idea why.
Does anyone know what is causing this specific error or where to find more documentation about it ?
I have found the culprit here. Although not stated (e.g. in --help) the --VSwitchId option is mandatory when specifying a --SecurityGroupId. The VSwitch needs to be in the same availability zone as your security group.
On this link, check out the following documentation under "Description":
For network configuration:
To create an instance in a VPC, you must specify a VPC and a VSwitch. One instance can belong only to one VSwitch.
When you specify VSwitchId, ensure that the security group and VSwitch specified by SecurityGroupId and VSwitchId belong to the same VPC.
If you specify both VSwitchId and PrivateIpAddress, ensure that the private IP address specified by PrivateIpAddress is within the CIDR block of the VSwitch.
PrivateIpAddress is dependent on VSwitchId. You cannot only specify the PrivateIpAddress parameter.
Also Note: The Alibaba Cloud product APIs are divided into RPC API and RESTful API. Most products use RPC style. When you use Alibaba Cloud CLI to call the interface, APIs of different styles have different calling methods.
Check out the following link: https://www.alibabacloud.com/help/doc-detail/110344.htm
Hope this helps!
Related
In the AWS policy conditions section, what is the difference between ec2:ResourceTag/${Tag Key} and aws: ResourceTag/${TagKey}?
I am trying to understand if there is a difference between adding to the conditions aws: ResourceTag/${TagKey} and ec2:ResourceTag/${Tag Key}?
aws:ResourceTag is an AWS Global Condition Context Key, whereas ec2:ResourceTag is an AWS Service-specific Key.
In the general case, Global identifiers should work in all services, but this is (was not in the past?) guaranteed, and you would need to verify if this was supported for the relevant service.
In this specific case, for EC2, they behave the same way, as you can see in the relevant documentation:
https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonec2.html#amazonec2-aws_ResourceTag___TagKey_
https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonec2.html#amazonec2-ec2_ResourceTag___TagKey_
See also https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html
I am trying to set up a var template in grafana that would allow me to only show ec2 instances with specific ec2 tags. I did find
ec2_instance_attribute(us-east-1, InstanceId, {"tag:app": ["$application"]})
on a grafana community site and i changed it to
ec2_instance_attribute(us-west-2, InstanceId, {"tag:ENV": ["Prod"]})
The tags based off of my ec2 instance tags is and i keep getting a metric error. I tried removing the brackets and tweaking and still can't figure it out. Does anyone know how to create this using this method or another one i haven't thought of?
Your expression should be working. But I had this error also, due to a missing AWS Policy permission. This might be the case for you as well AWS has a default Policy to read CloudWatch data: "CloudWatchReadOnlyAccess ", but creating my own policy as a copy of "CloudWatchReadOnlyAccess" and adding "ec2:DescribeTags" and "ec2:DescribeInstances" made this work for me.
The above answer might be only applicable when you control your access via Roles with Policies.
I am trying to invoke a step function from a lambda which is inside a VPC.
I get exception that HTTP request timed out.
Is it possible to access step function from a lambda in a vpc?
Thanks,
If your lambda function is running inside a VPC, you need to add a VPC endpoint for step functions.
In the VPC console : Endpoints : Create Endpoint, the service name for step functions is com.amazonaws.us-east-1.states (the region name may vary).
Took me a while to find this in the documentation.
It is possible but depends on how you are trying to access step functions. If you are using the AWS SDK then it should take care of any http security issues, otherwise if you are executing raw HTTP commands you will need to mess around with AWS headers.
The other thing you will need to look at is the role that lambda is executing. Without seeing how you have things configure I can only suggest to you things I encountered; you may need to adjust your policies so the role can have the action: sts:AssumeRole, another possibility is adding the action: iam:PassRole to the same execution role.
The easiest solution is to grant your execution role administrator privileges, test it out then work backwards to lock down your role access. Remember to treat your lambda function like another API user account and set privileges appropriately.
I'm trying to setup terraform to handle creation of fine-grained user permissions, and have been able to create:
Cognito User Pools, Identity Pools
IAM Roles, Permissions
What I'm struggling with is how to link them together. I have two types of user:
Standard User
Manager
As such, I have found two ways that I could use to correctly hook up the correct IAM policy upon login:
Method 1 - Create a custom attribute, and Use the "Choose Role With Rules" to set a rule to set an IAM policy based on the attribute
Method 2 - Create Cognito Groups, and link users and the required IAM policy to each group.
The problem, as far as I can see, is that Terraform doesn't currently support either of those cases, so I need to find a work around. So, my question is essentially, how do I get around terraform's lack of support in some areas?
I've seen some projects that use [Ruby, Go, etc.] to make up for some of the limitations, but I don't quite understand where to start and what is the best option for my needs. I haven't been able to find much in Google yet (possibly https://github.com/infrablocks/ruby_terraform). Does anyone have a good guide or resource I could use to get started?
If terraform does not support something you can use the local-exec provisioner to execute commands after resource creation. For example you could use the aws cli to add a custom attribute:
resource "aws_cognito_identity_pool" "main" {
# ...
provisioner "local-exec" {
command = "aws cognito-idp add-custom-attributes --user-pool-id ${aws_cognito_identity_pool.main.id} --custom-attributes <your attributes>"
}
}
local-exec docs
I am new to Bluemix as part creating an app following the steps below:
Log in to Bluemix with your Bluemix account.
Open the Catalog menu.
From the Runtimes section, click Liberty for Java.
In the App field, specify the name of your app [entered name]
Click the Create button
I am getting the error below:
BXNUI2032E: An error occurred when contacting Cloud Foundry to create a resource. Resource: routes. Cloud Foundry message: "The host is taken: vTest." See the Troubleshooting topics in the IBM Bluemix Documentation to check service status, review troubleshooting information, or for information about getting help.
Thanks in Advance
Bluemix will auto create the hostname for your app based on what you type into the name of the app. The above error means someone else has that hostname for their app.
The error message will probably look like the following.
cf push watson-um-demo
Creating app watson-um-demo in org jbsloyer#us.ibm.com / space demos as jbsloyer#us.ibm.com...
OK
Creating route watson-um-demo.mybluemix.net...
FAILED
Server error, status code: 400, error code: 210003, message: The host is taken: watson-um-demo
To resolve the issue you can modify the hostname field.
Bluemix assigns your app with a domain of mybluemix.net if you are running in the US-South region. If you are running in the EU-GB region Bluemix will assign your app with a domain of eu-gb.mybluemix.net You can map your own domains to your app as well. See https://www.ng.bluemix.net/docs/#manageapps/index-gentopic3.html#domain.
The guys before me already gave you the answer you were looking for, I just want share some good practices, if you don't mind. While it might not work for you, it has worked like a charm for me over past months
What has worked best for me is to start every App Name with my initials and than the app name. Colleagues of mine are doing the same just adding their name at the end.
So whenever I create a new app I follow my little schema in head:
Initials in front
no spaces just underscores
Descriptive and easy to remember so that I can quickly type it in the command line
The host you input will be the part of your url before mybluemix.net (yours would be vTest.mybluemix.net), so it needs to be globally unique across all of Bluemix. Try adding some random characters to the end of your host.
Don't stress out :) The reality is you likely will not want to use mybluemix.net for a customer facing URL/Route. Simply replace the name that you initially used that is already used by someone else with a compliant one see Restrictions on Valid Hostnames. It really doesn't matter which one.
Then get yourself a DNS provider like Domainmaster.com register your own custom domain. Like: www.mygreatsite.com
Then modify Bluemix to use your own custom domain you created. Read the documentation on Creating and using a custom domain with Bluemix.
You may want to setup other settings in your DNS like Cname, AAAA records and A records. Work with the DNS provider to figure out which ones you want to change.