All geek questions in one place

"Complete EC2 Instance" Failure Failed

when I run a specific type of instance, userdata-script creates a metric + alarm through Boto. The metric correctly transfers data to CloudWatch. An alarm should interrupt an instance as an action if any metric-based condition matches. In CloudWatch, an alarm is generated correctly and it switches alarm states as desired.

BUT: When it comes to completing an action, it fails with the following β€œhistory” entry: Alarm updated from

  • OK for SIGNAL. Reason: Threshold crossed: 5 data points were greater than the threshold (200.0). The most recent data: 999.0, 999.0.
  • arn: aws: automate: eu-west-1: ec2: completion is in progress.
  • EC2 "i-xxx" failed to complete the action. AWS was unable to verify the credentials provided.

Screenshothot of alarm history

I have already provided the "AdministratorAccess" policy to the "userdata" -Role, which is attached to the instance.

Any clues?

Relationship Tom

+4
source share
2 answers

I think this is a problem. From the developer's guide :

If you use the IAM role (for example, an Amazon EC2 instance profile), you cannot stop or terminate the instance using alarm actions. However, you can still see the alarm status and perform any other actions such as Amazon SNS notifications or auto-scaling policies.

I recently posted in the AWS forum about this issue: https://forums.aws.amazon.com/message.jspa?messageID=601951

+2
source

I just got this question and seems to have solved it.
The IAM role associated with the CloudWatch Alarm service is AWSServiceRoleForCloudWatchEvents. I believe his trustees are events.amazonaws.com. And his political document in the tag of trust ,

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": "events.amazonaws.com" }, "Action": "sts:AssumeRole" } ] }

And my ec2 instance role policy document in the Trust Relationship tag

 { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": "ec2.amazonaws.com" }, "Action": "sts:AssumeRole" } ] }

Then add the contents of the Trusted Entities events.amazonaws.com to the ec2 instance role policy document as follows:

 { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": "ec2.amazonaws.com" }, "Action": "sts:AssumeRole" }, { "Effect": "Allow", "Principal": { "Service": "events.amazonaws.com" }, "Action": "sts:AssumeRole" } ] }

This adds the trusted entity events.amazonaws.com to the role.
Then the CloudWatch Alarm to stop instance function is fine!

0
source

Source: https://habr.com/ru/post/1480678/

More articles:


All Articles