eks-workshop-v2 icon indicating copy to clipboard operation
eks-workshop-v2 copied to clipboard
verified publisher icon aws-samples

[Bug]: prepare-environment fundamentals/storage/efs fails with User is not authorized

Open justRishi opened this issue 1 year ago • 2 comments

Installation method

Own AWS account

What happened?

fundamentals eks-workshop Amazon EFS prepare environment fails, previous sections with "prepare environment" did not fail. lab : https://www.eksworkshop.com/docs/fundamentals/storage/efs/
command: prepare-environment fundamentals/storage/efs resulted in error:

ec2-user:~/environment:$ prepare-environment fundamentals/storage/efs
Refreshing copy of workshop repository from GitHub...

Resetting the environment...
Tip: Read the rest of the lab introduction while you wait!
Waiting for application to become ready...
Cleaning up previous lab infrastructure...
Creating infrastructure for next lab...
╷
│ Error: creating EFS Mount Target (fs-07848258f41ad0ca1): operation error EFS: CreateMountTarget, https response error StatusCode: 403, RequestID: 937f7fea-d656-40e1-b2c6-266d4d4cd7c4, api error AccessDeniedException: User is not authorized to perform that action on the specified resource
│ 
│   with module.lab.module.preprovision[0].aws_efs_mount_target.efsmtpvsubnet[0],
│   on lab/preprovision/main.tf line 65, in resource "aws_efs_mount_target" "efsmtpvsubnet":
│   65: resource "aws_efs_mount_target" "efsmtpvsubnet" {
│ 
╵
╷
│ Error: creating EFS Mount Target (fs-07848258f41ad0ca1): operation error EFS: CreateMountTarget, https response error StatusCode: 403, RequestID: c2e67f38-e9ed-4f97-8c4f-9431aacbc6fe, api error AccessDeniedException: User is not authorized to perform that action on the specified resource
│ 
│   with module.lab.module.preprovision[0].aws_efs_mount_target.efsmtpvsubnet[1],
│   on lab/preprovision/main.tf line 65, in resource "aws_efs_mount_target" "efsmtpvsubnet":
│   65: resource "aws_efs_mount_target" "efsmtpvsubnet" {
│ 
╵
╷
│ Error: creating EFS Mount Target (fs-07848258f41ad0ca1): operation error EFS: CreateMountTarget, https response error StatusCode: 403, RequestID: d5a077cf-61e8-46d4-aa21-fd18894b11df, api error AccessDeniedException: User is not authorized to perform that action on the specified resource
│ 
│   with module.lab.module.preprovision[0].aws_efs_mount_target.efsmtpvsubnet[2],
│   on lab/preprovision/main.tf line 65, in resource "aws_efs_mount_target" "efsmtpvsubnet":
│   65: resource "aws_efs_mount_target" "efsmtpvsubnet" {
│ 
╵
An error occurred, please contact your workshop proctor or raise an issue at https://github.com/aws-samples/eks-workshop-v2/issues
The full log can be found here: /eks-workshop/logs/action-1726570670.log

What did you expect to happen?

efs environment for lab to be created successfully

How can we reproduce it?

  1. go to https://www.eksworkshop.com/docs/fundamentals/storage/efs/ (after creating the environment as explained in: https://www.eksworkshop.com/docs/introduction/setup/your-account/using-eksctl).
  2. execute this in the online lab environment VS-code prepare-environment fundamentals/storage/efs

Anything else we need to know?

The previous EFS-lab sections like Amazon EBS prepare-environment went fine , as well Ingress, Load Balancers etc

EKS version

1.30

justRishi avatar Sep 17 '24 11:09 justRishi

I am also experiencing this same issue as @justRishi described above.

casey-holgado avatar Sep 19 '24 18:09 casey-holgado

Thanks for the report, we'll need to look in to this. The IAM permissions look like they should allow this and our tests are succeeding so it will take some manual investigation.

niallthomson avatar Sep 28 '24 00:09 niallthomson

same issue for me

flphvlck avatar Dec 03 '24 14:12 flphvlck

Same issue for me. Tested yesterday on eu-west-1 (failed) but works today on us-west-2

ingcloud-fr avatar Dec 04 '24 18:12 ingcloud-fr

I spent some time troubleshooting this and was able to resolve this by adding the following.

In the eks-workshop-ide-ec2 policy add ec2:CreateNetworkInterface ec2:DeleteNetworkInterface

Based on the AWS CLI documentation the following permissions are required.

This operation requires permissions for the following action on the file system:

elasticfilesystem:CreateMountTarget This operation also requires permissions for the following Amazon EC2 actions:

ec2:DescribeSubnets ec2:DescribeNetworkInterfaces ec2:CreateNetworkInterface

Hope this helps.. I would create PR but not sure how AWS manages public input.

rdripps avatar Dec 07 '24 01:12 rdripps

I hit this error as well and I'm using us-west-2

Manually updating the eks-workshop-ide-ec2 policy per @rdripps suggestion worked for me.

ajmoorexyz avatar Dec 27 '24 16:12 ajmoorexyz 

...
        {
            "Action": [
                "ec2:CreateVpc",
                "ec2:CreateSubnet",
                "ec2:CreateRouteTable",
                "ec2:CreateRoute",
                "ec2:CreateInternetGateway",
                "ec2:AttachInternetGateway",
                "ec2:AssociateRouteTable",
                "ec2:ModifyVpcAttribute",
                "ec2:CreateSecurityGroup",
                "ec2:AllocateAddress",
                "ec2:ReleaseAddress",
                "ec2:DisassociateAddress",
                "ec2:CreateNetworkAclEntry",
                "ec2:DeleteNetworkAclEntry",
                "ec2:CreateNatGateway",
                "ec2:DeleteNatGateway",
                "ec2:CreateNetworkInterface",
                "ec2:DeleteNetworkInterface"
            ],
            "Resource": [
                "*"
            ],
            "Effect": "Allow"
        },
...

ajmoorexyz avatar Dec 27 '24 16:12 ajmoorexyz

https://github.com/aws-samples/eks-workshop-v2/pull/1199

ajmoorexyz avatar Dec 27 '24 23:12 ajmoorexyz

Fixed in #1199

niallthomson avatar Feb 05 '25 20:02 niallthomson