search

aws-solutions / workload-discovery-on-aws

Workload Discovery on AWS is a solution to visualize AWS Cloud workloads. With it you can build, customize, and share architecture diagrams of your workloads based on live data from AWS. The solution maintains an inventory of the AWS resources across your accounts and regions, mapping their relationships and displaying them in the user interface.
https://aws.amazon.com/solutions/implementations/workload-discovery-on-aws/
Apache License 2.0
727 stars 88 forks source link

WebUiUrl is not accessible after deployed the solution stack #548

Open awscoe opened 1 month ago

awscoe commented 1 month ago

Feature name Give your feature a name. -WebUiUrl is not accessible after deployed the solution stack

Is your feature request related to a problem? Please describe. A description of what the problem is. WebUiUrl is not accessible after deployed the solution stack https://d3mjzdvwbwcshm.cloudfront.net/

I need assistance to complete my post deployment steps to use the solution in our environment.

Error:

AccessDenied User: arn:aws:sts::856369053181:assumed-role/OriginAccessControlRole/EdgeCredentialsProxy+EdgeHostAuthenticationClient-DEL54-P7 is not authorized to perform: kms:Decrypt on the resource associated with this ciphertext because the resource does not exist in this Region, no resource-based policies allow access, or a resource-based policy explicitly denies access AAFAS781YFYA8TXA vv0H8OFH6HHEVaqFPV/rL3q+OEIkYZpA5uHSsUTKYqKTnEsAbWsOVl9C1GUnwsSnLyJzjMA3hQ4=

Describe the feature you'd like to see implemented A description of what you would like to see.

Describe the value this feature will add to AWS Perspective Tell us how this feature might improve AWS Perspective.

Describe alternatives you've considered A description of any alternative solutions or features you've considered.

Additional context Add any context or screenshots about the feature request here.

awscoe commented 1 month ago

I have deployed the Solution stack in us-east-2 (Ohio) and cloudFront also deployed in same region. Is there any region restriction for CloudFront ? Can you please share your e-mail ID so that I can show you the error that I am facing for WebuiURL?

svozza commented 1 month ago

I have never seen an error like this before but it looks like it could be an SCP associated with the account that Workload Discovery was deployed to. The arn:aws:sts::856369053181:assumed-role/OriginAccessControlRole/EdgeCredentialsProxy+EdgeHostAuthenticationClient-DEL54-P7 is not deployed by the solution. As you can see here there is no role assoicate with the AWS::CloudFront::OriginAccessControl resource provisioned by CloudFormation: https://github.com/aws-solutions/workload-discovery-on-aws/blob/3a7e39605e0937f3c14a34c8230f8ac80fbeadfd/source/cfn/templates/webui.template#L43.

awscoe commented 1 month ago

Hi Stefano, Thanks for update. Quick questions:

  1. Is there any region restriction for CloudFront if I have deployed the Workload Discovery Solution stack in us-east-2 (Ohio)?
  2. Can this solution be deployed in CloudFront US-East-2?

Please confirm me.

Regards, Dalkeshwar Prasad

svozza commented 1 month ago

I'm not sure what you mean by deploying CloudFront in us-east-2? CloudFront is a global service so it doesn't have a region associated with it. The solution can be deployed in us-east-2; I have done so many times before. A list of the supported regions can be seen in the documentation: https://docs.aws.amazon.com/solutions/latest/workload-discovery-on-aws/supported-aws-regions.html.