By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Why doesn't ec2-instance-connect work on AWS-Parallel-Cluster

0

I know Parallel Cluster3 doesn't officially support ec2-instance-connect and SSM but I'm trying to figure out why. It seems to be failing in /usr/share/ec2-instance-connect/eic_curl_authorized_keys more accurately, it fails when it tries to fetch instance metadata. In that script calling /usr/bin/curl 169.254.169.254/latest/meta-data/ returns nothing When logged in the instance using pcluster ssh, it returns the expected data.

How does this happen?

Thanks.

Tags
AWS ParallelCluster
Language
English
Louis Letourneau
asked 2 years ago320 views
1 Answer
0

Finally figured it out. There are iptables rules on parallel-cluster

$ sudo iptables -S
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-N PARALLELCLUSTER_IMDS
-A OUTPUT -d 169.254.169.254/32 -j PARALLELCLUSTER_IMDS
-A OUTPUT -d 169.254.169.254/32 -m owner --uid-owner 129 -j ACCEPT
-A PARALLELCLUSTER_IMDS -d 169.254.169.254/32 -m owner --uid-owner 0 -j ACCEPT
-A PARALLELCLUSTER_IMDS -d 169.254.169.254/32 -m owner --uid-owner 400 -j ACCEPT
-A PARALLELCLUSTER_IMDS -d 169.254.169.254/32 -m owner --uid-owner 1000 -j ACCEPT
-A PARALLELCLUSTER_IMDS -d 169.254.169.254/32 -j REJECT --reject-with icmp-port-unreachable

This blocks the ec2-instance-connect user from accessing the meta-data

Louis Letourneau
answered 2 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content