Unable to get started | Security Groups | AWS OpsWorks


#1

Hi team,

I am trying to get up and working with the AWS OpsWorks offering, but am unable to get off the ground. I hope someone is able to help me with this. Of course, the ideal way would be to use Terraform or CloudFormation to get this up, but to start with, I am using the manual way to create it.

The steps I did were -

  • Created a VPC in the Oregon region.
  • Ensured it has a public subnet associated to it.
  • Started the AWS OpsWorks creation (wizard?), got through the first 2 screens which asks to select the Automate Server Name, AWS region and the instance type and the SSH key. However, when I reach the third screen where I would need to select the VPC, subnet and security groups, I get erratic results.
  • On the first attempt, the VPC and Subnet information showed up fine. I selected the option to create a ‘Generate a new one’ in ‘Security Groups’. But the Service role and Instance profile fields didn’t get populated. When I went back and tried again, the VPC and Subnet fields didn’t get populated (which worked fine in the earlier attempt).

I still need to check with the AWS admin at my organisation to see if the issue is related to permissions. I do see an error on the home page -

You don’t have permissions to view the Chef Automate servers on this account

but it still allows me to proceed with the wizard.

What am I be missing?


#2

Answering it myself. this was related to permissions - which allowed me to move on to the next step.

However, at the last step when I attempt to ‘launch’ after the review screen, I get a message - ‘unexpected error’. I am sure its related to permissions as well.

Question is - what are the exact set of roles required to get this working? The roles corresponding to me are -

        "Effect": "Allow",
        "Action": [
            "opsworks:*",
            "ec2:DescribeAvailabilityZones",
            "ec2:DescribeKeyPairs",
            "ec2:DescribeSecurityGroups",
            "ec2:DescribeAccountAttributes",
            "ec2:DescribeAvailabilityZones",
            "ec2:DescribeSecurityGroups",
            "ec2:DescribeSubnets",
            "ec2:DescribeVpcs",
            "elasticloadbalancing:DescribeInstanceHealth",
            "elasticloadbalancing:DescribeLoadBalancers",
            "iam:GetRolePolicy",
            "iam:ListInstanceProfiles",
            "iam:ListRoles",
            "iam:ListUsers",
            "iam:PassRole"
        "Effect": "Allow",
        "Action": [
            "opsworks-cm:*"
        ],
        "Effect": "Allow",
        "Action": [
            "iam:CreateRole",
            "iam:AttachRolePolicy"
        ],

#3

Doesn’t look like he full set of required permissions are documented. Your best bet is probably to reach out to AWS support to get the full list.