Hi,
Testing the new iam_profile_name, which I understand can be used to set the
role when creating a new instance via kitchen-ec2 I updated the
corresponding .kitchen.yml file, but the instance does not get any role
assigned. Folowing is the config I used and the results from the created
instance. I am thinking maybe I missed something obvious that I can’t see?
Luis
Luis-Cosmes-MacBook-Pro:ffdc-common lcosmes$ head .kitchen.yml
driver:
name: ec2
aws_ssh_key_id: [my_ssh_key_id]
region: us-east-1
availability_zone: us-east-1b
security_group_ids: [“sg-YYYYYY”]
subnet_id: "subnet-aaaaaaa"
instance_type: t2.small
iam_profile_name: master
-
“master” role exists in IAM *
Luis-Cosmes-MacBook-Pro:ffdc-common lcosmes$ aws iam get-role --role-name
master --query ‘Role.{RoleName:RoleName,Arn:Arn}’
{
“RoleName”: “master”,
“Arn”: “arn:aws:iam::663255216447:role/master”
}
-
kitchen converge creates the new instance, and doesn’t spit any errors *
Luis-Cosmes-MacBook-Pro:ffdc-common lcosmes$ kitchen converge def
-----> Starting Kitchen (v1.4.0)
$$$$$$ WARN: The driver[Kitchen::Driver::Ec2] config key username is
deprecated, please use transport.username
-----> Creating …
Creating <>…
If you are not using an account that qualifies under the AWS
free-tier, you may be charged to run these suites. The charge
should be minimal, but neither Test Kitchen nor its maintainers
are responsible for your incurred costs.
Instance <i-b517ad65> requested.
EC2 instance <i-b517ad65> created.
…
- The created instance, however, does not contain a role *
Luis-Cosmes-MacBook-Pro:ffdc-common lcosmes$ aws ec2 describe-instances
–instance-ids i-b517ad65 --query
’Reservations[].Instances[].IamInstanceProfile’
[
[]
]
–
Are you creating an ERP FrankenCloud? Watch 2:11 video
http://erpfrankencloud.com?utm_medium=email_footer
Instance profiles are not the same as IAM roles. While normally there is a one-to-one mapping, I don't see any code in kitchen to automatically create instance profiles for you the way that some other tools do. Create the insp yourself and it should work.
--Noah
On May 20, 2015, at 11:16 AM, Luis Cosmes lcosmes@financialforce.com wrote:
Hi,
Testing the new iam_profile_name, which I understand can be used to set the role when creating a new instance via kitchen-ec2 I updated the corresponding .kitchen.yml file, but the instance does not get any role assigned. Folowing is the config I used and the results from the created instance. I am thinking maybe I missed something obvious that I can't see?
Luis
Luis-Cosmes-MacBook-Pro:ffdc-common lcosmes$ head .kitchen.yml
driver:
name: ec2
aws_ssh_key_id: [my_ssh_key_id]
region: us-east-1
availability_zone: us-east-1b
security_group_ids: ["sg-YYYYYY"]
subnet_id: "subnet-aaaaaaa"
instance_type: t2.small
iam_profile_name: master
-
"master" role exists in IAM *
Luis-Cosmes-MacBook-Pro:ffdc-common lcosmes$ aws iam get-role --role-name master --query 'Role.{RoleName:RoleName,Arn:Arn}'
{
"RoleName": "master",
"Arn": "arn:aws:iam::663255216447:role/master"
}
-
kitchen converge creates the new instance, and doesn't spit any errors *
Luis-Cosmes-MacBook-Pro:ffdc-common lcosmes$ kitchen converge def
-----> Starting Kitchen (v1.4.0)
$$$$$$ WARN: The driver[Kitchen::Driver::Ec2] config key username is deprecated, please use transport.username
-----> Creating ...
Creating <>...
If you are not using an account that qualifies under the AWS
free-tier, you may be charged to run these suites. The charge
should be minimal, but neither Test Kitchen nor its maintainers
are responsible for your incurred costs.
Instance <i-b517ad65> requested.
EC2 instance <i-b517ad65> created.
...
- The created instance, however, does not contain a role *
Luis-Cosmes-MacBook-Pro:ffdc-common lcosmes$ aws ec2 describe-instances --instance-ids i-b517ad65 --query 'Reservations[].Instances[].IamInstanceProfile'
[
]
Are you creating an ERP FrankenCloud? Watch 2:11 video
I'm getting the same with a with an iam role/instance profile with the same
name. Both of the following commands return correct values
aws iam get-role --role-name webServer
aws iam get-instance-profile --instance-profile-name webServer
In my .kitchen.yml I have:
driver:
iam_profile_name: webServer
The iam role was created via the AWS console so the name definitely matches
with the instance profile.
On Wed, May 20, 2015 at 11:50 AM, Noah Kantrowitz noah@coderanger.net
wrote:
Instance profiles are not the same as IAM roles. While normally there is a
one-to-one mapping, I don't see any code in kitchen to automatically create
instance profiles for you the way that some other tools do. Create the insp
yourself and it should work.
--Noah
On May 20, 2015, at 11:16 AM, Luis Cosmes lcosmes@financialforce.com
wrote:
Hi,
Testing the new iam_profile_name, which I understand can be used to set
the role when creating a new instance via kitchen-ec2 I updated the
corresponding .kitchen.yml file, but the instance does not get any role
assigned. Folowing is the config I used and the results from the created
instance. I am thinking maybe I missed something obvious that I can't see?
Luis
Luis-Cosmes-MacBook-Pro:ffdc-common lcosmes$ head .kitchen.yml
driver:
name: ec2
aws_ssh_key_id: [my_ssh_key_id]
region: us-east-1
availability_zone: us-east-1b
security_group_ids: ["sg-YYYYYY"]
subnet_id: "subnet-aaaaaaa"
instance_type: t2.small
iam_profile_name: master
-
"master" role exists in IAM *
Luis-Cosmes-MacBook-Pro:ffdc-common lcosmes$ aws iam get-role
--role-name master --query 'Role.{RoleName:RoleName,Arn:Arn}'
{
"RoleName": "master",
"Arn": "arn:aws:iam::663255216447:role/master"
}
-
kitchen converge creates the new instance, and doesn't spit any errors
Luis-Cosmes-MacBook-Pro:ffdc-common lcosmes$ kitchen converge def
-----> Starting Kitchen (v1.4.0)
$$$$$$ WARN: The driver[Kitchen::Driver::Ec2] config key username is
deprecated, please use transport.username
-----> Creating ...
Creating <>...
If you are not using an account that qualifies under the AWS
free-tier, you may be charged to run these suites. The charge
should be minimal, but neither Test Kitchen nor its maintainers
are responsible for your incurred costs.
Instance <i-b517ad65> requested.
EC2 instance <i-b517ad65> created.
...
- The created instance, however, does not contain a role *
Luis-Cosmes-MacBook-Pro:ffdc-common lcosmes$ aws ec2 describe-instances
--instance-ids i-b517ad65 --query
'Reservations[].Instances[].IamInstanceProfile'
[
]
Are you creating an ERP FrankenCloud? Watch 2:11 video
--
Yoshi Spendiff
Ops Engineer
Indochino
Mobile: +1 778 952 2025
Email: yoshi.spendiff@indochino.com
This is the result of trying to get the chef-server to consider itself a chef client.
root@chef-server:/etc/chef-server# chef-client
[2015-05-20T21:58:42-07:00] INFO: Forking chef instance to converge…
Starting Chef Client, version 12.3.0
[2015-05-20T21:58:42-07:00] INFO: *** Chef 12.3.0 ***
[2015-05-20T21:58:42-07:00] INFO: Chef-client pid: 6470
[2015-05-20T21:58:45-07:00] ERROR: SSL Validation failure connecting to host: chef-server - SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed
================================================================================
Chef encountered an error attempting to load the node data for “chef-server”
Unexpected Error:
OpenSSL::SSL::SSLError: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed
[2015-05-20T21:58:45-07:00] FATAL: Stacktrace dumped to /var/chef/cache/chef-stacktrace.out
Chef Client failed. 0 resources updated in 2.552439872 seconds
[2015-05-20T21:58:45-07:00] ERROR: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed
[2015-05-20T21:58:45-07:00] FATAL: Chef::Exceptions::ChildConvergeError: Chef run process exited unsuccessfully (exit code 1)
root@chef-server:/etc/chef-server#
Unsure as to how to proceed.
What file is this reading localhost from when it should be chef-server?
I.e. where is the chef_server-url defined?
What configuration file? What path?
root@chef-server:/etc/chef# knife ssl check
WARNING: No knife configuration file found
Connecting to host localhost:443
ERROR: The SSL cert is signed by a trusted authority but is not valid for the given hostname
ERROR: You are attempting to connect to: 'localhost’
ERROR: The server’s certificate belongs to ‘chef-server’
TO FIX THIS ERROR:
The solution for this issue depends on your networking configuration. If you
are able to connect to this server using the hostname chef-server
instead of localhost, then you can resolve this issue by updating chef_server_url
in your configuration file.
If you are not able to connect to the server using the hostname chef-server
you will have to update the certificate on the server to use the correct hostname.
root@chef-server:/etc/chef#
By the way, the chef-client host from last night is fine. It was a knife.rb which needed
to be generated from the Chef GUI and a validation pem regenerated.
This is a regression I introduced in 0.9.0 - I accidentally renamed the key iam_profile_name to iam_instance_profile. I’ve fixed the issue in PR #125 https://github.com/test-kitchen/kitchen-ec2/pull/125 and will be releasing a patch fix as soon as I get it merged. Thanks for the report, and sorry for the regression! I added test coverage for this as well.
-T
On May 20, 2015, at 3:38 PM, Yoshi Spendiff yoshi.spendiff@indochino.com wrote:
I'm getting the same with a with an iam role/instance profile with the same name. Both of the following commands return correct values
aws iam get-role --role-name webServer
aws iam get-instance-profile --instance-profile-name webServer
In my .kitchen.yml I have:
driver:
iam_profile_name: webServer
The iam role was created via the AWS console so the name definitely matches with the instance profile.
On Wed, May 20, 2015 at 11:50 AM, Noah Kantrowitz <noah@coderanger.net mailto:noah@coderanger.net> wrote:
Instance profiles are not the same as IAM roles. While normally there is a one-to-one mapping, I don't see any code in kitchen to automatically create instance profiles for you the way that some other tools do. Create the insp yourself and it should work.
--Noah
On May 20, 2015, at 11:16 AM, Luis Cosmes <lcosmes@financialforce.com mailto:lcosmes@financialforce.com> wrote:
Hi,
Testing the new iam_profile_name, which I understand can be used to set the role when creating a new instance via kitchen-ec2 I updated the corresponding .kitchen.yml file, but the instance does not get any role assigned. Folowing is the config I used and the results from the created instance. I am thinking maybe I missed something obvious that I can't see?
Luis
Luis-Cosmes-MacBook-Pro:ffdc-common lcosmes$ head .kitchen.yml
driver:
name: ec2
aws_ssh_key_id: [my_ssh_key_id]
region: us-east-1
availability_zone: us-east-1b
security_group_ids: ["sg-YYYYYY"]
subnet_id: "subnet-aaaaaaa"
instance_type: t2.small
iam_profile_name: master
-
"master" role exists in IAM *
Luis-Cosmes-MacBook-Pro:ffdc-common lcosmes$ aws iam get-role --role-name master --query 'Role.{RoleName:RoleName,Arn:Arn}'
{
"RoleName": "master",
"Arn": "arn:aws:iam::663255216447:role/master"
}
-
kitchen converge creates the new instance, and doesn't spit any errors *
Luis-Cosmes-MacBook-Pro:ffdc-common lcosmes$ kitchen converge def
-----> Starting Kitchen (v1.4.0)
$$$$$$ WARN: The driver[Kitchen::Driver::Ec2] config key username is deprecated, please use transport.username
-----> Creating ...
Creating <>...
If you are not using an account that qualifies under the AWS
free-tier, you may be charged to run these suites. The charge
should be minimal, but neither Test Kitchen nor its maintainers
are responsible for your incurred costs.
Instance <i-b517ad65> requested.
EC2 instance <i-b517ad65> created.
...
- The created instance, however, does not contain a role *
Luis-Cosmes-MacBook-Pro:ffdc-common lcosmes$ aws ec2 describe-instances --instance-ids i-b517ad65 --query 'Reservations[].Instances[].IamInstanceProfile'
[
]
Are you creating an ERP FrankenCloud? Watch 2:11 video
--
Yoshi Spendiff
Ops Engineer
Indochino
Mobile: +1 778 952 2025
Email: yoshi.spendiff@indochino.com mailto:yoshi.spendiff@indochino.com