Closed wanghong230 closed 6 years ago
I am having a very similar issue.
double check the name of your bucket!
+1 with the same issue...
same issue i'm facing
I got past it by adding a bucket policy just so it allows getBucketLocation
@niroliyanage can you share the bucket policy please?
/close see #5622
@niroliyanage I got this too, but I can't get it passed by adding getBucketLocation
permission to policy
Still encountered something like
Could not retrieve location for AWS bucket xxxx-xxxx-xxx
@niroliyanage Actually I resolved the above issue, but can't seem to export the config from the S3
encountered
kops export kubecfg --name=xxxxxxx --state s3://xxxxxxx
W0828 19:28:23.122657 43048 create_kubecfg.go:75] Did not find API endpoint for gossip hostname; may not be able to reach cluster
@berniechiu I ran into the exact error. I found my problem and fixed it. You can check if the root cause is the same.
Basically when I ask kops to generate a kubecfg for a gossip-based cluster, it will try to use AWS api to get your ELB public dns name. My problem is the user that runs kops export kubecfg
does not have enough permission to do so.
I ended up put read/list permission for s3/ec2/r53/elb in am IAM policy. And attached the policy to the user who runs kops commands. The policy is not minimally permissive so it could be improved.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:ListBucketByTags",
"s3:GetLifecycleConfiguration",
"s3:GetBucketTagging",
"s3:GetInventoryConfiguration",
"s3:GetObjectVersionTagging",
"s3:ListBucketVersions",
"s3:GetBucketLogging",
"s3:ListBucket",
"s3:GetAccelerateConfiguration",
"s3:GetBucketPolicy",
"s3:GetObjectVersionTorrent",
"s3:GetObjectAcl",
"s3:GetEncryptionConfiguration",
"s3:GetBucketRequestPayment",
"s3:GetObjectVersionAcl",
"s3:GetObjectTagging",
"s3:GetMetricsConfiguration",
"s3:GetIpConfiguration",
"s3:ListBucketMultipartUploads",
"s3:GetBucketWebsite",
"s3:GetBucketVersioning",
"s3:GetBucketAcl",
"s3:GetBucketNotification",
"s3:GetReplicationConfiguration",
"s3:ListMultipartUploadParts",
"s3:GetObject",
"s3:GetObjectTorrent",
"s3:GetBucketCORS",
"s3:GetAnalyticsConfiguration",
"s3:GetObjectVersionForReplication",
"s3:GetBucketLocation",
"s3:GetObjectVersion"
],
"Resource": [
"*",
]
},
{
"Effect": "Allow",
"Action": [
"s3:ListAllMyBuckets",
"s3:HeadBucket"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"ec2:DescribeInstances",
"ec2:DescribeVolumesModifications",
"ec2:GetHostReservationPurchasePreview",
"ec2:DescribeSnapshots",
"ec2:DescribePlacementGroups",
"ec2:GetConsoleScreenshot",
"ec2:DescribeHostReservationOfferings",
"ec2:DescribeInternetGateways",
"ec2:GetLaunchTemplateData",
"ec2:DescribeVolumeStatus",
"ec2:DescribeScheduledInstanceAvailability",
"ec2:DescribeSpotDatafeedSubscription",
"ec2:DescribeVolumes",
"ec2:DescribeFpgaImageAttribute",
"ec2:DescribeExportTasks",
"ec2:DescribeAccountAttributes",
"ec2:DescribeNetworkInterfacePermissions",
"ec2:DescribeReservedInstances",
"ec2:DescribeKeyPairs",
"ec2:DescribeNetworkAcls",
"ec2:DescribeRouteTables",
"ec2:DescribeReservedInstancesListings",
"ec2:DescribeEgressOnlyInternetGateways",
"ec2:DescribeSpotFleetRequestHistory",
"ec2:DescribeLaunchTemplates",
"ec2:DescribeVpcClassicLinkDnsSupport",
"ec2:DescribeVpnConnections",
"ec2:DescribeSnapshotAttribute",
"ec2:DescribeVpcPeeringConnections",
"ec2:DescribeReservedInstancesOfferings",
"ec2:DescribeIdFormat",
"ec2:DescribeVpcEndpointServiceConfigurations",
"ec2:DescribePrefixLists",
"ec2:GetReservedInstancesExchangeQuote",
"ec2:DescribeVolumeAttribute",
"ec2:DescribeInstanceCreditSpecifications",
"ec2:DescribeVpcClassicLink",
"ec2:DescribeImportSnapshotTasks",
"ec2:DescribeVpcEndpointServicePermissions",
"ec2:GetPasswordData",
"ec2:DescribeScheduledInstances",
"ec2:DescribeImageAttribute",
"ec2:DescribeVpcEndpoints",
"ec2:DescribeReservedInstancesModifications",
"ec2:DescribeElasticGpus",
"ec2:DescribeSubnets",
"ec2:DescribeVpnGateways",
"ec2:DescribeMovingAddresses",
"ec2:DescribeAddresses",
"ec2:DescribeInstanceAttribute",
"ec2:DescribeRegions",
"ec2:DescribeFlowLogs",
"ec2:DescribeDhcpOptions",
"ec2:DescribeVpcEndpointServices",
"ec2:DescribeSpotInstanceRequests",
"ec2:DescribeVpcAttribute",
"ec2:GetConsoleOutput",
"ec2:DescribeSpotPriceHistory",
"ec2:DescribeNetworkInterfaces",
"ec2:DescribeAvailabilityZones",
"ec2:DescribeNetworkInterfaceAttribute",
"ec2:DescribeVpcEndpointConnections",
"ec2:DescribeInstanceStatus",
"ec2:DescribeHostReservations",
"ec2:DescribeIamInstanceProfileAssociations",
"ec2:DescribeTags",
"ec2:DescribeLaunchTemplateVersions",
"ec2:DescribeBundleTasks",
"ec2:DescribeIdentityIdFormat",
"ec2:DescribeImportImageTasks",
"ec2:DescribeClassicLinkInstances",
"ec2:DescribeNatGateways",
"ec2:DescribeCustomerGateways",
"ec2:DescribeVpcEndpointConnectionNotifications",
"ec2:DescribeSecurityGroups",
"ec2:DescribeSpotFleetRequests",
"ec2:DescribeHosts",
"ec2:DescribeImages",
"ec2:DescribeFpgaImages",
"ec2:DescribeSpotFleetInstances",
"ec2:DescribeSecurityGroupReferences",
"ec2:DescribeVpcs",
"ec2:DescribeConversionTasks",
"ec2:DescribeStaleSecurityGroups"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"route53:ListTrafficPolicyInstances",
"route53:GetTrafficPolicyInstanceCount",
"route53:GetChange",
"route53:ListTrafficPolicyVersions",
"route53:TestDNSAnswer",
"route53:GetHostedZone",
"route53:GetHealthCheck",
"route53:ListHostedZonesByName",
"route53:ListQueryLoggingConfigs",
"route53:GetCheckerIpRanges",
"route53:ListTrafficPolicies",
"route53:ListResourceRecordSets",
"route53:ListGeoLocations",
"route53:GetTrafficPolicyInstance",
"route53:GetHostedZoneCount",
"route53:GetHealthCheckCount",
"route53:GetQueryLoggingConfig",
"route53:ListReusableDelegationSets",
"route53:GetHealthCheckLastFailureReason",
"route53:GetHealthCheckStatus",
"route53:ListTrafficPolicyInstancesByHostedZone",
"route53:ListHostedZones",
"route53:ListVPCAssociationAuthorizations",
"route53:GetReusableDelegationSetLimit",
"route53:GetReusableDelegationSet",
"route53:ListTagsForResource",
"route53:ListTagsForResources",
"route53:GetAccountLimit",
"route53:ListTrafficPolicyInstancesByPolicy",
"route53:ListHealthChecks",
"route53:GetGeoLocation",
"route53:GetHostedZoneLimit",
"route53:GetTrafficPolicy"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"elasticloadbalancing:DescribeLoadBalancerAttributes",
"elasticloadbalancing:DescribeSSLPolicies",
"elasticloadbalancing:DescribeLoadBalancers",
"elasticloadbalancing:DescribeTargetGroupAttributes",
"elasticloadbalancing:DescribeListeners",
"elasticloadbalancing:DescribeTags",
"elasticloadbalancing:DescribeAccountLimits",
"elasticloadbalancing:DescribeTargetHealth",
"elasticloadbalancing:DescribeTargetGroups",
"elasticloadbalancing:DescribeListenerCertificates",
"elasticloadbalancing:DescribeRules",
"elasticloadbalancing:DescribeLoadBalancerPolicies",
"elasticloadbalancing:DescribeLoadBalancerPolicyTypes",
"elasticloadbalancing:DescribeInstanceHealth"
],
"Resource": "*"
}
]
}
@tonysickpony Thx
I also came up my final solution for restricted role here ha!
https://github.com/kubernetes/kops/issues/1873#issuecomment-418012198
double check the name of your bucket! Thanks! XD
------------- BUG REPORT TEMPLATE --------------------
kops
version are you running? The commandkops version
, will display this information.Version 1.8.1 (git-94ef202)
kubectl version
will print the version if a cluster is running or provide the Kubernetes version specified as akops
flag.kubenetes 1.10. I am installing, so it is not releated here
AWS
What commands did you run? What is the simplest way to reproduce this issue?
We are runing it inside EC2 instance in a seperate AWS account to deploy cluster in another AWS account, the cross account is configured and tested via aws cli.
What happened after the commands executed?
error reading cluster configuration "CLUSTER": error reading s3://BUCKET/CLUSTER/config: Could not retrieve location for AWS bucket BUCKET
aws s3 ls can list the bucket and access the account buckets
kops get --name my.example.com -oyaml
to display your cluster manifest. You may want to remove your cluster name and other sensitive information.This issue is before having the configuration file.
-v 10
flag. Paste the logs into this report, or in a gist and provide the gist link here. See 5------------- FEATURE REQUEST TEMPLATE --------------------
Describe IN DETAIL the feature/behavior/change you would like to see.
Feel free to provide a design supporting your feature request.