By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Panorama Test Utility environment setup from github aws-samples: CloudFormation template provided fails after modifying

0

I have started my Panorama journey with a Lenova ThinkEdge SE70; my region: ca-central-1

I want to launch the EC2 env using the: 'Test Utility environment setup' in aws-samples, in my region: ca-central-1:

  • Test Utility
  • I have copied the CloudFormation (CF) template from the us-east-1 launch stack to my local workstation, honored the listed pre-requisites from that github page, and modified template to include my subscription entry for ARM machine image; validate via aws cli, and create , etc ...

  • aws cloudformation validate-template --template-body file://./panorama-starter-kit-mod-cac1.yaml

  • aws cloudformation create-stack --region ca-central-1 --template-body file://.//panorama-starter-kit-mod-cac1.yaml --stack-name mxr-panorama-arm-ec2-instance-cac1 --capabilities CAPABILITY_NAMED_IAM

  • switch to aws console to monitor events in the launch, 2 failures follow:

Any Panorama environment guidance would be appreciated. I am a noob, but am confused as to why a CF template which is part of AWS Panorama support utility would fail in this tag workaround fashion. As a noob, I do not have CF expertise either. I have looked for a more prescriptive AWS Panorama workshop (similar to the IoT Core workshops with CF templates), but have not found any. I would like to use the 'Test Utility' to remote into my Panorama SE70 appliance, etc.

Maybe the sentiment for going forward is: " ... yah, the Panorama Test Utility CF template needs a workaround - therefore, build out your ARM EC2 instance manually, etc"

I added the LaunchTemplete entries as suggested in the rePost above to my current template, but do not quite understand the rationale. This is my template:

AWSTemplateFormatVersion: '2010-09-09'
Description: EC2 instance
Parameters:
  KeyName:
    Description: Name of an existing EC2 KeyPair to enable SSH access to the instance
    Type: AWS::EC2::KeyPair::KeyName
    ConstraintDescription: must be the name of an existing EC2 KeyPair.
    Default: mxr-panorama-stack-ec2
  InstanceType:
    Description: WebServer EC2 instance type
    Type: String
    Default: t4g.2xlarge
    AllowedValues:
    - t4g.2xlarge
    - t4g.micro
    - t4g.xlarge
  SSHLocation:
    Description: The IP address range that can be used to SSH to the EC2 instances
    Type: String
    MinLength: 9
    MaxLength: 18
    Default: 0.0.0.0/0
    AllowedPattern: (\d{1,3})\.(\d{1,3})\.(\d{1,3})\.(\d{1,3})/(\d{1,2})
    ConstraintDescription: must be a valid IP CIDR range of the form x.x.x.x/x.
Mappings: 
  RegionMap: 
    ca-central-1:
      id: ami-00364bfa0dbeb5e09
    us-east-1:
      id: ami-01747bf371bd30817      
    us-east-2:
      id: ami-01747bf371bd30817
    us-west-2:
      id: ami-0a8e148ec03558c68
    eu-central-1:
      id: ami-01747bf371bd30817
    eu-west-1:
      id: ami-01747bf371bd30817
    ap-northeast-1:
      id: ami-01747bf371bd30817
Resources:
  ec2Instance:
    Type: AWS::EC2::Instance
    Properties:
      LaunchTemplate:  
        LaunchTemplateId: !Ref RequiredTagsLaunchTemplate  
        Version: 1      
      InstanceType: !Ref InstanceType
      SecurityGroups: [!Ref 'ec2SecurityGroup']
      KeyName: !Ref KeyName
      ImageId: !FindInMap
        - RegionMap
        - !Ref AWS::Region
        - id
      IamInstanceProfile: !Ref ec2InstanceProfile
      BlockDeviceMappings:
        - DeviceName: /dev/sda1
          Ebs:
            VolumeSize: 500
      UserData:
        Fn::Base64: !Sub |
                #!/bin/bash -xe

                HOME=/home/ubuntu
                echo $HOME > $HOME/user_data.txt

                apt -y update && apt -y upgrade
                apt-get -y install wget build-essential checkinstall
                apt-get install -y libreadline-gplv2-dev libncursesw5-dev libssl-dev \
                    libsqlite3-dev tk-dev libgdbm-dev libc6-dev libbz2-dev libffi-dev zlib1g-dev
                apt-get install python3-dev python3-pip python3-numpy -y

                ... etc ...

                jupyter notebook --generate-config

               ... etc ...

                apt  install docker.io -y
                aws ecr get-login-password --region us-west-2 | docker login --username AWS --password-stdin 500245141608.dkr.ecr.us-west-2.amazonaws.com

                echo "INSTALLATION COMPLETE" > $HOME/INSTALLATION_COMPLETE.txt


  RequiredTagsLaunchTemplate:  
    Type: 'AWS::EC2::LaunchTemplate'  
    Properties:  
      LaunchTemplateData:  
        TagSpecifications:  
          - ResourceType: volume  
            Tags:  
              - Key: Env  
                Value: Dev  



  ec2SecurityGroup:
    Type: AWS::EC2::SecurityGroup
    Properties:
      GroupDescription: Enable SSH access via port 22
      SecurityGroupIngress:
      - IpProtocol: "tcp"
        CidrIp: "0.0.0.0/0"
        FromPort: "22"
        ToPort: "22"
      - IpProtocol: "tcp"
        CidrIp: "0.0.0.0/0"
        FromPort: "8888"
        ToPort: "8888"
  ec2Role:
    Type: AWS::IAM::Role
    Properties:
      ManagedPolicyArns:
      - arn:aws:iam::aws:policy/AmazonS3FullAccess
      - arn:aws:iam::aws:policy/CloudWatchAgentAdminPolicy
      - arn:aws:iam::aws:policy/AWSCloudFormationReadOnlyAccess
      - arn:aws:iam::aws:policy/AmazonSageMakerFullAccess
      - arn:aws:iam::aws:policy/AmazonRekognitionFullAccess
      - arn:aws:iam::aws:policy/IAMFullAccess
      - arn:aws:iam::aws:policy/AWSPanoramaFullAccess
      AssumeRolePolicyDocument: |
        {
          "Version": "2012-10-17",
          "Statement": [
            {
              "Action": [
                "sts:AssumeRole"
              ],
              "Effect": "Allow",
              "Principal": {
                "Service": [
                  "ec2.amazonaws.com",
                  "s3.amazonaws.com",
                  "cloudwatch-crossaccount.amazonaws.com",
                  "cloudformation.amazonaws.com",
                  "member.org.stacksets.cloudformation.amazonaws.com",
                  "sagemaker.amazonaws.com",
                  "rekognition.amazonaws.com",
                  "iam.amazonaws.com",
                  "panorama.amazonaws.com"
                ]
              }
            }
          ]
        }
  ec2InstanceProfile:
    Type: AWS::IAM::InstanceProfile
    Properties:
      Path: /
      Roles:
        - !Ref ec2Role
Outputs:
  publicName:
    Description: Public DNSName of the EC2 instance
    Value: !GetAtt [ec2Instance, PublicDnsName]
  publicIp:
    Description: Public IP address of the EC2 instance
    Value: !GetAtt [ec2Instance, PublicIp]
Topics
Security, Identity, & ComplianceManagement & GovernanceComputeMachine Learning & AI
Tags
AWS Identity and Access ManagementAWS CloudFormationAmazon EC2AWS Panorama
Language
English
rePost-User-0974678
asked a year ago332 views
1 Answer
0

Hello,

From your query, I understand that you are trying to launch EC2 environment using the 'Test Utility Environment Setup' from aws-samples GitHub repo in your region ‘ca-central-1’. You have modified the template and deployed the stack but you got the following errors during the stack deployment:

  • Did not have IAM permissions to process tags on AWS::EC2::Instance resource.
  • API: ec2:RunInstances You are not authorized to perform this operation. Encoded authorization failure message:

You have already followed the AWS link [1], to remediate the error but the solutions didn’t helped. You are having admin permissions but still you are getting error. There could be any explicit deny for the IAM role/user you are using to perform operation and this needs to be checked.

Regarding the error, “API: ec2:RunInstances You are not authorized to perform this operation. Encoded authorization failure message:”. This error indicates that AWS Identity and Access Management (IAM) role or user trying to perform the operation does not have the required permissions. The error involves an encoded message, which needs to be decoded to check the missing permissions. Please use the AWS CLI [2] to decode the message. Due to security reasons we are unable to decode these messages. Run the following command to decode the error message:

————————

aws sts decode-authorization-message --encoded-message ENCODED_MESSAGE_HERE

————————

Please refer to AWS link [3] for more information.

Once you have fixed the permissions after decoding the message, try to perform the deployment again and if you are still facing any issue, then To answer your question, we require details that are non-public information. Please open a support case with AWS using the following link: https://support.console.aws.amazon.com/support/home#/case/create

References:

[1] https://repost.aws/knowledge-center/cloudformation-ec2-iam-runinstances

[2] https://docs.aws.amazon.com/cli/latest/reference/sts/decode-authorization-message.html

[3] https://repost.aws/knowledge-center/ec2-not-auth-launch

AWS
SUPPORT ENGINEER
Jhanvi Kashyap
answered a year ago
  • rePost-User-0974678
    a year ago

    Thanks for your suggestions. I decoded the message, but it does not tell me anything new: "admin-user" does not have permission to perform the ec2:RunInstances action on the arn:aws:ec2:ca-central-1:208598130076:volume/*. This admin-user has been set up with wild-card role/policy during debug, on the services used (ec2, cloudformation, admin permissions, etc.).

    I am able to launch the ARM AMI subscription ec2 in my region using the console wizard.

    Are others aware of a low friction path to setting up a Panorama virtual environment? The purpose of the template above is to set up a Jupyter notebook environment on an ARM ec2. Any suggestions from Jupyter experts?

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content