#aws (2019-07)
Discussion related to Amazon Web Services (AWS)
Discussion related to Amazon Web Services (AWS)
Archive: https://archive.sweetops.com/aws/
2019-07-01
![vishnu.shukla avatar](https://secure.gravatar.com/avatar/8718ad07adbcbc884abae81ebb128d5e.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0006-72.png)
arniam:user/ad.dt is not authorized to perform: kms:DescribeKey on resource: arn
kms634880740321:key/ac43ea17-741a-4347-ac04-88d42ffec899
![aaratn avatar](https://avatars.slack-edge.com/2019-02-20/557134156454_f5d7fde6bbdd7b4ced9e_72.jpg)
Looks like issue with IAM policy
![vishnu.shukla avatar](https://secure.gravatar.com/avatar/8718ad07adbcbc884abae81ebb128d5e.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0006-72.png)
han it got fixed, thanks
![vishnu.shukla avatar](https://secure.gravatar.com/avatar/8718ad07adbcbc884abae81ebb128d5e.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0006-72.png)
anyone can help me to fix this error
![vishnu.shukla avatar](https://secure.gravatar.com/avatar/8718ad07adbcbc884abae81ebb128d5e.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0006-72.png)
user is trying to access the SQS and SNS and user has full access for SQS and SNS
![Nikola Velkovski avatar](https://avatars.slack-edge.com/2018-11-08/474538495603_cc9e62a39b3dbc9d8d65_72.png)
@vishnu.shukla I think you should remove your account id
![vishnu.shukla avatar](https://secure.gravatar.com/avatar/8718ad07adbcbc884abae81ebb128d5e.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0006-72.png)
@Nikola Velkovski thanks but got fixed i just created a custom policy for KMS and attached to the user and it worked.
![Nikola Velkovski avatar](https://avatars.slack-edge.com/2018-11-08/474538495603_cc9e62a39b3dbc9d8d65_72.png)
What I was saying that it’s not the best practice from a security point of view to expose your AWS account id
![vishnu.shukla avatar](https://secure.gravatar.com/avatar/8718ad07adbcbc884abae81ebb128d5e.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0006-72.png)
thats not my AWS id, I edited the AWS ID and user before sending
![Nikola Velkovski avatar](https://avatars.slack-edge.com/2018-11-08/474538495603_cc9e62a39b3dbc9d8d65_72.png)
ah nice!
![Maciek Strömich avatar](https://secure.gravatar.com/avatar/98de12365b633b063e208220100d4594.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0002-72.png)
@Nikola Velkovski (-:
![Nikola Velkovski avatar](https://avatars.slack-edge.com/2018-11-08/474538495603_cc9e62a39b3dbc9d8d65_72.png)
¯_(ツ)_/¯
![Ruan Arcega avatar](https://avatars.slack-edge.com/2019-06-28/682016987190_83da81f915037f35f3ec_72.png)
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
Oh, I didn’t realize that eksctl
was a joint effort.
![omerfsen avatar](https://secure.gravatar.com/avatar/b66c1225c52ce7769292f48c16d03f0f.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0012-72.png)
And now it is offical documentation of aws Eks user guide (added end of May) so it is suggested setup
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
I thought it was only by Weaveworks + community
![vitaly.markov avatar](https://secure.gravatar.com/avatar/af10ad814e165640f02247b3ede8bdd3.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0021-72.png)
yeah, awesome tool for creating EKS cluster compared to AWS EKS Console (web)
2019-07-02
![pericdaniel avatar](https://secure.gravatar.com/avatar/6340ef6c86748f847e91cfb1c42fa9ea.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0022-72.png)
Anyone create an ALB to point to a KOPS k8 cluster?
![jose.amengual avatar](https://secure.gravatar.com/avatar/32f267b819eac9e0ea6a8324b53064a0.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0024-72.png)
![jose.amengual avatar](https://secure.gravatar.com/avatar/32f267b819eac9e0ea6a8324b53064a0.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0024-72.png)
dunno if that could help
![Issif avatar](https://avatars.slack-edge.com/2019-12-02/848866457345_6b17c415c518a84814ce_72.png)
are you sure than ALB are available as ingress with kops? I think remember only ELB are possible right now
![Issif avatar](https://avatars.slack-edge.com/2019-12-02/848866457345_6b17c415c518a84814ce_72.png)
because ALB needs at least a targetgroup
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
We’ve deployed the alb-ingresss-controller
to a kops cluster
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
we’re currently using it with one customer, but would probably not recommend it unless absolutely necessary.
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
Here’s how we do it: https://github.com/cloudposse/helmfiles/blob/master/releases/aws-alb-ingress-controller.yaml
Comprehensive Distribution of Helmfiles. Works with helmfile.d
- cloudposse/helmfiles
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
using #helmfile
2019-07-03
2019-07-05
![Maciek Strömich avatar](https://secure.gravatar.com/avatar/98de12365b633b063e208220100d4594.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0002-72.png)
AWS Security Consulting
![joshmyers avatar](https://avatars.slack-edge.com/2018-11-20/483958217281_8117d6f6c62807ce9912_72.jpg)
heh, interesting read
2019-07-07
2019-07-08
![laxman71290 avatar](https://secure.gravatar.com/avatar/6345fd07b5cf5acfdf0c9062c911e722.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0020-72.png)
Hi, I am setting up my qa env using terraform and after the ec2 is provisioned the instance is failing health check. Any suggestions on why this is happening. I am using the right port number for health check.
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
@laxman71290 health check from what? A load balancer or from outside?
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
check security groups in any case
![Maciek Strömich avatar](https://secure.gravatar.com/avatar/98de12365b633b063e208220100d4594.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0002-72.png)
Template format error: Unresolved resource dependencies [] in the Resources block of the template
anyone has any ideas what to look for in cloudformation template?
![Maciek Strömich avatar](https://secure.gravatar.com/avatar/98de12365b633b063e208220100d4594.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0002-72.png)
doesn’t matter. fat fingers putting !Ref without pointing it to a resource
2019-07-10
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
2019-07-11
![Maciek Strömich avatar](https://secure.gravatar.com/avatar/98de12365b633b063e208220100d4594.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0002-72.png)
How do you deal with multiple services running on ecs where everyone of them is configured with awsvpc networking?
![Maciek Strömich avatar](https://secure.gravatar.com/avatar/98de12365b633b063e208220100d4594.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0002-72.png)
deal in terms of placing services on instances which e.g. have enough available NICs and doing autoscaling
![Maciek Strömich avatar](https://secure.gravatar.com/avatar/98de12365b633b063e208220100d4594.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0002-72.png)
do you spread applications across multiple clusters and generally don’t care about this issue or do you have a fancy way of having a single ecs cluster with multiple services up and running?
![maarten avatar](https://avatars.slack-edge.com/2020-09-28/1393040065826_b0d13cfde15deff02026_72.png)
@Maciek Strömich https://github.com/aws/containers-roadmap/issues/7
Instances running in awsvpc networking mode will have greater allotments of ENIs allowing for greater Task densities.
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
Great link
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
Each Amazon ECS task that uses the awsvpc network mode receives its own elastic network interface (ENI), which is attached to the container instance that hosts it. There is a default limit to the number of network interfaces that can be attached to an Amazon EC2 instance, and the primary network interface counts as one. For example, by default a
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
(Via previous link)
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
And for EKS: https://github.com/aws/containers-roadmap/issues/398
We are working on the next version of the Kubernetes networking plugin for AWS. We've gotten a lot of feedback around the need for adding Kubenet and support for other CNI plugins in EKS. This …
![fast_parrot](/assets/images/custom_emojis/fast_parrot.gif)
![dalekurt avatar](https://avatars.slack-edge.com/2022-06-16/3703363393968_abccd57f2124dd3b0f25_72.jpg)
Did anyone catch today’s keynote at AWS Summit in NYC?
![dalekurt avatar](https://avatars.slack-edge.com/2022-06-16/3703363393968_abccd57f2124dd3b0f25_72.jpg)
Any thoughts on AWS CDK for IaC?
2019-07-12
![Alex Siegman avatar](https://avatars.slack-edge.com/2019-04-10/592429074434_cea95e800f54d8ea3544_72.jpg)
This just went GA today: https://aws.amazon.com/cdk/
AWS Cloud Development Kit (CDK) is a software development framework to model and provision your cloud application resources using familiar programming languages.
![Alex Siegman avatar](https://avatars.slack-edge.com/2019-04-10/592429074434_cea95e800f54d8ea3544_72.jpg)
Aiming at Terraform it seems.
![hlesta avatar](https://secure.gravatar.com/avatar/d2d6057c563dd824cde6e49bfc5d1c2d.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0008-72.png)
Hello there someone has some experience using app mesh with k8s making routing im different aws accounts? I have the idea to connect a eks pod app with another eks pod app in another account
![hlesta avatar](https://secure.gravatar.com/avatar/d2d6057c563dd824cde6e49bfc5d1c2d.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0008-72.png)
The request should be do in aws backbone without go out to internet
2019-07-13
![dalekurt avatar](https://avatars.slack-edge.com/2022-06-16/3703363393968_abccd57f2124dd3b0f25_72.jpg)
@hlesta You can look at using VPC peering.
![hlesta avatar](https://secure.gravatar.com/avatar/d2d6057c563dd824cde6e49bfc5d1c2d.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0008-72.png)
Is It works with app mesh? Aws support told me that is not possible share app mesh service or be used with cross account role
![hlesta avatar](https://secure.gravatar.com/avatar/d2d6057c563dd824cde6e49bfc5d1c2d.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0008-72.png)
Now I’m thinking that I should use cloud map to route internally in different accounts using vpc link
![hlesta avatar](https://secure.gravatar.com/avatar/d2d6057c563dd824cde6e49bfc5d1c2d.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0008-72.png)
The current architecture accounts is
The inbound traffic enters in an account called shared services and this traffic is routed to other accounts but for example, when account A with eks app send traffic to eks in account B , it should be sent using aws backbone instead internet
2019-07-14
![David avatar](https://secure.gravatar.com/avatar/fa4b2ee58fce859255b55bde92daeaf6.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0015-72.png)
is there a way to map port 443 on the LB to port 80 on the web server if so where do I make that modification?
![Alex Siegman avatar](https://avatars.slack-edge.com/2019-04-10/592429074434_cea95e800f54d8ea3544_72.jpg)
It’s on the load balancer if it’s a classic, application load balancer will be a forward to a target group, target group will specify the destination port
2019-07-15
![me1249 avatar](https://secure.gravatar.com/avatar/f6cb6f4eaeebf3d03c9fe58d86d558a0.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0024-72.png)
Check out your target group configuration
2019-07-16
![sarkis avatar](https://secure.gravatar.com/avatar/3606f27756cf1a49f22f966e4ddf01a6.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0015-72.png)
really good article: https://medium.com/containers-on-aws/using-aws-application-load-balancer-and-network-load-balancer-with-ec2-container-service-d0cb0b1d5ae5
![attachment image](https://miro.medium.com/max/1200/1*7YzgmkYutFQ1j9AgXTlucA.png)
Amazon Web Services recently released new second generation load balancers: Application Load Balancer (ALB), and Network Load Balancer…
![daveyu avatar](https://secure.gravatar.com/avatar/8d79597556982a1205cf52c64aaa66ff.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0020-72.png)
is using an Aurora Serverless DB cluster with a Heroku app not possible because of this limitation?
You can’t give an Aurora Serverless DB cluster a public IP address. You can access an Aurora Serverless DB cluster only from within a virtual private cloud (VPC) based on the Amazon VPC service.
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
that would appear to be the case. that said, you can deploy a connection proxy
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
e.g. https://github.com/CrunchyData/crunchy-proxy for postgres
PostgreSQL Connection Proxy by Crunchy Data (beta) - CrunchyData/crunchy-proxy
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
and https://github.com/mysql/mysql-proxy for mysql
MySQL Proxy is a simple program that sits between your client and MySQL server(s) and that can monitor, analyze or transform their communication. Its flexibility allows for a wide variety of uses, …
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
@daveyu actually you should also be able to create an NLB with a target group to an IP
![daveyu avatar](https://secure.gravatar.com/avatar/8d79597556982a1205cf52c64aaa66ff.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0020-72.png)
I’ll try it out. Thanks!
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
Learn how to configure target groups for your Network Load Balancer.
![daveyu avatar](https://secure.gravatar.com/avatar/8d79597556982a1205cf52c64aaa66ff.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0020-72.png)
an internet-facing NLB in a public subnet with a target group of Aurora Serverless endpoint IP addresses worked. thanks @Erik Osterman (Cloud Posse)!
![daveyu avatar](https://secure.gravatar.com/avatar/8d79597556982a1205cf52c64aaa66ff.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0020-72.png)
a downside to this approach.. it seems the NLB’s health checks keep “waking” the cluster, causing it to scale up with no other traffic
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
Can you disable all healthchecks?
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
Passive health checks enable the load balancer to detect an unhealthy target before it is reported as unhealthy by the active health checks. You cannot disable, configure, or monitor passive health checks.
![daveyu avatar](https://secure.gravatar.com/avatar/8d79597556982a1205cf52c64aaa66ff.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0020-72.png)
It doesn’t look like I can.
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
that’s too bad. but look at it this way… it’s a great way to keep your serverless database awake
![daveyu avatar](https://secure.gravatar.com/avatar/8d79597556982a1205cf52c64aaa66ff.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0020-72.png)
Yep. It works out fine for prod env.
![jose.amengual avatar](https://secure.gravatar.com/avatar/32f267b819eac9e0ea6a8324b53064a0.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0024-72.png)
ALB you mean
![jose.amengual avatar](https://secure.gravatar.com/avatar/32f267b819eac9e0ea6a8324b53064a0.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0024-72.png)
?
![daveyu avatar](https://secure.gravatar.com/avatar/8d79597556982a1205cf52c64aaa66ff.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0020-72.png)
nope, network load balancer
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
@daveyu that’s awesome! glad there’s an easy/reliable/scalable workaround
2019-07-17
![Maxim Tishchenko avatar](https://secure.gravatar.com/avatar/853372c681dc96b95f42adcb88b0cb3f.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0007-72.png)
hey everyone, I have AutomatedSnapshotFailure alarm for my elasticsearch
but i don have any log, any error in cluster (it it green)
does anyone know whot could be a reason of AutomatedSnapshotFailure
?
AutomatedSnapshotFailure = Insufficient data
2019-07-18
![Maciek Strömich avatar](https://secure.gravatar.com/avatar/98de12365b633b063e208220100d4594.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0002-72.png)
hey, is anyone using localstack’s cloudformation mocks in their local pipelines?
![chrism avatar](https://secure.gravatar.com/avatar/def6898795bf25fb843daef8faa89bb5.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0026-72.png)
EKS is … hmm Decided to pop an EKS cluster up via rancher… also hmm but with extra (no ones tested this)
Are there any good TF, secure eks with calico network isolation and NLB (my god does EKS feel like its optimized for AWS’s wallet)
![chrism avatar](https://secure.gravatar.com/avatar/def6898795bf25fb843daef8faa89bb5.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0026-72.png)
https://eksctl.io/ seems quite nice
![chrism avatar](https://secure.gravatar.com/avatar/def6898795bf25fb843daef8faa89bb5.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0026-72.png)
in the world of “lets all make a new tool for every job”
![chrism avatar](https://secure.gravatar.com/avatar/def6898795bf25fb843daef8faa89bb5.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0026-72.png)
Interesting tool; no userdata for the amis though like tf
![chrism avatar](https://secure.gravatar.com/avatar/def6898795bf25fb843daef8faa89bb5.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0026-72.png)
The spot configs nice though
![chrism avatar](https://secure.gravatar.com/avatar/def6898795bf25fb843daef8faa89bb5.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0026-72.png)
It’s impressive how they made cloudformation sooooooooo god damn slow
![Maciek Strömich avatar](https://secure.gravatar.com/avatar/98de12365b633b063e208220100d4594.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0002-72.png)
don’t tell me about it
![chrism avatar](https://secure.gravatar.com/avatar/def6898795bf25fb843daef8faa89bb5.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0026-72.png)
Not being from the parallel universe the created EKS; assuming node groups are dumpable; without manually intervening via the UI like its 1999, is there a way to make sure nodes from the ASG are registered with the ILB All a chap wants is (private net) ILB > (K8 Workers / nginx ingress)
![chrism avatar](https://secure.gravatar.com/avatar/def6898795bf25fb843daef8faa89bb5.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0026-72.png)
I tried the k8 ALB module; interesting but who wants to pay per ingress
![chrism avatar](https://secure.gravatar.com/avatar/def6898795bf25fb843daef8faa89bb5.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0026-72.png)
if i lean back just hard enough I can see that terraform does what I want
![chrism avatar](https://secure.gravatar.com/avatar/def6898795bf25fb843daef8faa89bb5.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0026-72.png)
in that it unglues the extra cloud formation so I can do stuff that wont evaporate
2019-07-19
![chrism avatar](https://secure.gravatar.com/avatar/def6898795bf25fb843daef8faa89bb5.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0026-72.png)
The aws eks providers (<https://github.com/terraform-aws-modules/terraform-aws-eks
>) pretty nasty; luckily the cloudposse splits it out as I like. Hate nested objects as params in modules (looking at you aws-eks), terraforms dog rough when it comes to isolating things. its nice to have a flat hierarchy of mods
2019-07-22
![Sharanya avatar](https://avatars.slack-edge.com/2019-08-28/730147904066_371d42477a79b1177fc2_72.jpg)
looking for a way - when I have a s3 new file upload, I need Jenkins to trigger a new job — CAN anyone help me out ?
![Suresh avatar](https://secure.gravatar.com/avatar/d724f7464817daa2d652c940cca4c1b8.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0002-72.png)
2019-07-23
![mmarseglia avatar](https://secure.gravatar.com/avatar/c8ab1832c60fbfb4ad8d53b64cbeabc9.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0003-72.png)
is there a decent tool to remove all resources within an AWS account?
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
there are a few of them out there
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
A tool for cleaning up your cloud accounts by nuking (deleting) all resources within it - gruntwork-io/cloud-nuke
![mmarseglia avatar](https://secure.gravatar.com/avatar/c8ab1832c60fbfb4ad8d53b64cbeabc9.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0003-72.png)
ooh nuke
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
- Delete the state file and then nuke the account https://github.com/gruntwork-io/cloud-nuke or https://github.com/rebuy-de/aws-nuke
![mmarseglia avatar](https://secure.gravatar.com/avatar/c8ab1832c60fbfb4ad8d53b64cbeabc9.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0003-72.png)
thank you
![mmarseglia avatar](https://secure.gravatar.com/avatar/c8ab1832c60fbfb4ad8d53b64cbeabc9.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0003-72.png)
there are quite a few out there..
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
three that are maintained
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
![attachment image](https://techcrunch.com/wp-content/uploads/2019/06/AWS-Logo.jpg?w=631)
Here is a small but potentially handy update if you’re an AWS EC2 user. The company today launched a new feature called “EC2 Resource Optimization Recommendations,” which does exactly what the name promises. It’s not flashy, it’s not especially exciting, but it may jus…
2019-07-24
![chrism avatar](https://secure.gravatar.com/avatar/def6898795bf25fb843daef8faa89bb5.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0026-72.png)
one thing azure does better than aws is separate the machine from the data; I can resize a vm in azure with a slider / if the hardware under its gone to pot they’ll notify you and migrate the machine. AWS is just one big rotating middle finger to your vms when it comes to stuff like that. Change it yourself; or we’ve murdered it, hope there wasn’t anything important on there
![joshmyers avatar](https://avatars.slack-edge.com/2018-11-20/483958217281_8117d6f6c62807ce9912_72.jpg)
Any folks using fargate here? Good tooling/frameworks?
![joshmyers avatar](https://avatars.slack-edge.com/2018-11-20/483958217281_8117d6f6c62807ce9912_72.jpg)
Am tempted to go with airship as feels robust
![joshmyers avatar](https://avatars.slack-edge.com/2018-11-20/483958217281_8117d6f6c62807ce9912_72.jpg)
But also kinda like the idea of fargate cli for unlimited staging environments
![joshmyers avatar](https://avatars.slack-edge.com/2018-11-20/483958217281_8117d6f6c62807ce9912_72.jpg)
Which means the ECS is out of Terraform control
![ciastek avatar](https://secure.gravatar.com/avatar/07a721876d92997c3e6e7c9d55eab81c.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0015-72.png)
Don’t forget about limit of 50 Fargate tasks per region, per account.
![maarten avatar](https://avatars.slack-edge.com/2020-09-28/1393040065826_b0d13cfde15deff02026_72.png)
Limits can be changed, fargate is just very expensive if you’re doing 50
![Steven avatar](https://secure.gravatar.com/avatar/85c27d283a537b0c5b54590f47293fe1.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
Fargate is a lot cheaper than it used to be. Fargate limits can be increased to 1000’s if needed. I think I have it at 3000 in 2 accounts.
2019-07-26
![jose.amengual avatar](https://secure.gravatar.com/avatar/32f267b819eac9e0ea6a8324b53064a0.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0024-72.png)
Anyone have an idea to how to change the the ecs agent docker image directory to use something else instead of /var/lib/docker ?
![github140 avatar](https://secure.gravatar.com/avatar/afcb56b638b9dc7f3541d9d13accee94.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
How about building your own AMI using packer? Base AMI is the AWS ECS one.
![jose.amengual avatar](https://secure.gravatar.com/avatar/32f267b819eac9e0ea6a8324b53064a0.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0024-72.png)
we will do that for sure later
![jose.amengual avatar](https://secure.gravatar.com/avatar/32f267b819eac9e0ea6a8324b53064a0.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0024-72.png)
I wanted to just an ebs volume for now
![github140 avatar](https://secure.gravatar.com/avatar/afcb56b638b9dc7f3541d9d13accee94.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0016-72.png)
The configuration has to be changed, so an AMI build is necessary.
![jose.amengual avatar](https://secure.gravatar.com/avatar/32f267b819eac9e0ea6a8324b53064a0.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0024-72.png)
cool, thanks
![jose.amengual avatar](https://secure.gravatar.com/avatar/32f267b819eac9e0ea6a8324b53064a0.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0024-72.png)
in an ECS optimized instance the agent is already pulled and started
2019-07-28
2019-07-29
![Sharanya avatar](https://avatars.slack-edge.com/2019-08-28/730147904066_371d42477a79b1177fc2_72.jpg)
Hey Folks, Trying to find some Terraform Modules related to AWS - app stream service ( for creating fleets and stacks) any help appreciated
2019-07-30
![Partha avatar](https://avatars.slack-edge.com/2022-08-15/3935474173206_9cc0036c15169efce65f_72.jpg)
Hi All, Is there any way to setup alert for RDS Slow QRY log
![Jonathan Le avatar](https://avatars.slack-edge.com/2022-06-30/3743020264469_11185ecccf85573f89bc_72.jpg)
You can have the Slow Query Logs go to Cloudwatch Logs and then setup something to trigger off what lands in Slow Query Log
![Jonathan Le avatar](https://avatars.slack-edge.com/2022-06-30/3743020264469_11185ecccf85573f89bc_72.jpg)
If you forward the Cloudwatch Logs to something like ELK or Splunk or Sumo, you could then setup an alert in one of those things
![Jonathan Le avatar](https://avatars.slack-edge.com/2022-06-30/3743020264469_11185ecccf85573f89bc_72.jpg)
At my last startup, we ended up sending the logs to ELK and sent a slack notification to have someone review if something was being weird. this helped us turn the bad reports and eventually quiet the alert
![Partha avatar](https://avatars.slack-edge.com/2022-08-15/3935474173206_9cc0036c15169efce65f_72.jpg)
How to forward the logs to Splunk or loggly
![Andy avatar](https://secure.gravatar.com/avatar/7a2f84ace90c29955902cae67ef13ee3.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0025-72.png)
Lambda functions are just another great tool provided by AWS to solve issues in a modern way! Using Lambda functions, you can run a micro service without a need to have a server and think of how to configure and maintain it! There are lots of use cases for Lambda functions; here I used it to implement a service which sends alerts in case there is a slow query running in RDS. Of course slow queries are important for developers as it helps them to debug better and improve performance of the application. You can find the code here but there are some other things to be considered: As you may know, there are some ways to trigger a Lambda function. In this case, using CloudWatch Events to schedule it periodically makes sense. The lamda function should have some permissions to get RDS Logs and send alerts using SNS. To find out how to define required rules, please see this AWS documentation. You are also asked to do this when creating Lambda function. There is a parameter named ‘distinguisher’ which is actually the keyword specifying the occurrence of slow query. For ‘Postgresql’ RDS it can be ‘ Parameters Group in RDS should be configured to log slow queries. To know how to do this please see AWS documentation or this guide:Enabling slow query log on Amazon RDS
![Partha avatar](https://avatars.slack-edge.com/2022-08-15/3935474173206_9cc0036c15169efce65f_72.jpg)
Thank you so much Let me work on it
2019-07-31
![Ruan Arcega avatar](https://avatars.slack-edge.com/2019-06-28/682016987190_83da81f915037f35f3ec_72.png)
hi guys, i have one question about authentication and authorization with EKS i’ll try explain my pain…
We have all users and groups centralized in Google G suite, i am finding some way to connect G Suite users/groups to EKS. Manage auth is painful, i want to still using Google G suite, and i am thinking and watching this solution, i don’t know whether works, so, try using AWS Cognito (as identity management) + aws-iam-authenticator into EKS.
Why AWS Cognito? G suite use SAML pattern, and with AWS Cognito has possibility to connect with SAML providers.
I am accepting solutions to get users/groups from Google G suite and use into EKS! Anyone have some experience with EKS authentication ?
![mumoshu avatar](https://secure.gravatar.com/avatar/8e045bf747ca7a90b1d955dc30217271.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0015-72.png)
AWS has an API called AssumeRoleWithSAML that should work with any IdP that supports SAML.
That said, I think you can connect G suite directly to AWS so that the G suite user name user@yourdomain
is accessible via {{SessionName}}
in the iam authenticator config(https://github.com/kubernetes-sigs/aws-iam-authenticator#full-configuration-format) which frees you from creating a 1-to-1 mapping of your G suite user to EKS user
A tool to use AWS IAM credentials to authenticate to a Kubernetes cluster - kubernetes-sigs/aws-iam-authenticator
![mumoshu avatar](https://secure.gravatar.com/avatar/8e045bf747ca7a90b1d955dc30217271.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0015-72.png)
Actually I’m using OneLogin as a SAML IdP instead of G Suite. All I need in the iam authenticator config is several mapRoles
entries, one per IAM role
- roleARN: arn:aws:iam::000000000000:role/Developer
username: developer:{{SessionName}}
groups:
- developers
- roleARN: arn:aws:iam::000000000000:role/Admin
username: admin:{{SessionName}}
groups:
- admins
The username is translated to something like admin:<my email provided by IdP via SAML, e.g.
[email protected]`
![Ruan Arcega avatar](https://avatars.slack-edge.com/2019-06-28/682016987190_83da81f915037f35f3ec_72.png)
thanks @mumoshu for your reply i was lost looking many solutions, i guess your suggestion good, but i have one issue now… using aws-iam-authenticator i have to configure identity provider into IAM Console until this step ok.
Into SAML settings i have to setup some parameters like: Single sign on URL, Audience URI (SP Entity ID). I not found Single sign on URL for example after configure into IAM Console.
For these reasons i am looking at AWS Cognito… After this step above is resolved, I can configure aws-authenticator as you show me …
![Blaise Pabon avatar](https://secure.gravatar.com/avatar/6540d57ecbbbebc740a33d507aa085ad.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0004-72.png)
It depends a bit on where you want to consolidate…. For example @mumoshu uses Onelogin to handle all the identities, other people might use Okta. I use gSuite because most of my apps are based there, so when I run Gitlab in EC2, I use google omniauth.
I think Cognito
is good if you have lots of apps in your EKS that require auth because you can create a Cognito pool and it will create the session tokens for them. However, those apps are already using Google as IdP, then there is little sense in duplicating.