fbpx

Knowledge Base

You are here:
Print

AWS Troubleshooting

The Billing section is empty when I generate an AWS document.

  • Billing is based on Cost Explorer, therefore you need to ensure Cost Explorer is activated
  • Once Cost Explorer is activated, you need to ensure the user you are using to log in has access to Cost Explorer. Typically, if you use a read-only role, it does not have access to Cost Explorer. If you want to only add Cost Explorer permissions, you can create the following policy and add it to the read-only user:
{
	"Version": "2012-10-17",
	"Statement": [
		{
			"Effect": "Allow",
			"Action": [
				"ce:*"
			],
			"Resource": [
				"*"
			]
		}
	]
}

I have created an IAM user with read-only access and cannot access the S3 bucket where I want to drop the document.

  • Create the following policy and add it to your IAM User:
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "s3:*"
            ],
            "Resource": [
                "arn:aws:s3:::YOURS3Bucket"
            ]
        }
    ]
}
  • From the Storage Account, click on Permissions and then Bucket Policy. Ensure you have the following statement (replace the IAM User Arn and Resource)
{
    "Version": "2008-10-17",
    "Id": "Policy1335892530063",
    "Statement": [
        {
            "Sid": "Stmt1335892526597",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::xxxx:user/xxxxxxx"
            },
            "Action": "s3:PutObject",
            "Resource": "arn:aws:s3:::yourS3Bucket/*"
        }
    ]
}

I want to extract the warnings from AWS Trusted Advisor. What rights are required?

  • Ensure that the user you have created has the following policy attached:
{
	"Version": "2012-10-17",
	"Statement": [
		{
			"Sid": "VisualEditor0",
			"Effect": "Allow",
			"Action": [
				"support:DescribeTrustedAdvisorCheckResult",
				"support:DescribeTrustedAdvisorChecks"
			],
			"Resource": "*"
		}
	]
}

I want to extract the details of an EKS Cluster. How should I do that?

This document is a summary of this article : https://docs.aws.amazon.com/eks/latest/userguide/add-user-role.html  The user that creates an AWS EKS Cluster is automatically granted binded to the system:masters group in the cluster’s RBAC configuration which gives him admin rights over the cluster. If you want other user to be able to access Kubernetes API, they need to be added to the aws-auth ConfigMap. (If you have not created the cluster by the eksctl CLI, you will need to manually add the aws-auth to the cluster before continuing. See https://docs.aws.amazon.com/eks/latest/userguide/add-user-role.html )

To add a user, you will need its ARN (an easy way to access user ARN is to use Identity and Access Management (IAM) in AWS console), an arbitrary username and a permission group. So default group exists, see https://kubernetes.io/docs/reference/access-authn-authz/rbac/  for more informations.

Once the Cluster is created, and you have access to it via kubectl CLI (use kubectl get svc is a greate way to know if you have access), Use the command kubectl edit -n kube-system configmap/aws-auth

The configuration file will open in a text editor. Add the following information to get a file which look like

apiVersion: v1
data:
  mapRoles: |
    - groups:
      - system:bootstrappers
      - system:nodes
      rolearn: arn:aws:iam::349224196492:role/eksctl-LouisCluster-nodegroup-ng-NodeInstanceRole-KVFDAYFFJ5CL
      username: system:node:{{EC2PrivateDNSName}}
  mapUsers: |
    - userarn: arn:aws:iam::349224196492:user/adktestuser1
      username: adktestuser1
      groups:
      - system:masters
kind: ConfigMap
metadata:
  creationTimestamp: "2021-04-29T15:45:27Z"
  name: aws-auth
  namespace: kube-system
  resourceVersion: "242263"
  selfLink: /api/v1/namespaces/kube-system/configmaps/aws-auth
  uid: 91ab300c-ea19-44e6-9fee-ee226e56e8c5

In this example, the user adktestuser1 is now binded with the system:masters that is created by default. It is however possible to create custom groups with custom roles.

(Optional) If you want the users you’ve added to the configmap to be able to View nodes  or View workloads  in the AWS Management Console, then the user or role must have the appropriate permissions to view the resources in Kubernetes, but also need to have the appropriate IAM permissions to view those resources in the AWS Management Console. For more information, see View nodes and workloads for all clusters in the AWS Management Console .

Table of Contents