Compute

I am trying to write a permission boundary policy that allows developers to create personal IAM roles that are only allowed to pass themselves to EC2 instances. I'm not seeing an obvious way to write a general purpose policy for this I tried interpolating the role ARN in the resource field, which didn't work because the field only allows using policy variables in the final segment of the ARN. ``` { "Effect": "Allow", "Action": "iam:PassRole", "Resource": "${aws:PrincipalArn}" } ``` There doesn't seem to be a way to either retrieve the role **name** for use in the resource field, or the target role ARN for use in a condition statement. Thanks P.S. I realize I could create a set of policies that each hardcode the name of the role, but I am hoping to write just a single more flexible policy because I want to use it as a permissions boundary.lg...

I rec'd the notice regarding [ the deprecation of Launch Configurations](https://aws.amazon.com/blogs/compute/amazon-ec2-auto-scaling-will-no-longer-add-support-for-new-ec2-features-to-launch-configurations/) at the end of 2022. The notice states that: > **You can *continue* using launch configurations**, and AWS is committed to supporting applications you have already built using them, but in order for you to take advantage of our most recent and upcoming releases, a migration to launch templates is recommended. Additionally, we plan to no longer support ***new* instance types** with launch configurations by the end of 2022. Does this mean that my ability to use and create new Launch Configurations will continue to work as they do now, but only that any new instance **types** that are introduced in the future are not supported? By "type" I assume that means a new instance type class that currently doesn't exist (e.g. "t3**b**"). Thanks for your help!lg...

We have migrated a lambda from AWS Greengrass v1 to AWS Greengrass v2. This lambda needs to extract and decrypt a secret from Greengrass Core. How can we authorize the component to perform IPC permissions to the lambda for that? Regular components recipes have the option `ComponentConfiguration/DefaultConfiguration/accessControl`. However when we build the component out of a lambda using AWS CLI [create-component-version](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/greengrassv2/create-component-version.html) and option `--lambda-function`, there is no option to assign authorization policies. One way we tried to make it work is by using a *merge update* in our deployment (as documented [here](https://docs.aws.amazon.com/greengrass/v2/developerguide/ipc-secret-manager.html)). ``` "accessControl": { "aws.greengrass.SecretManager": { "<my-component>:secrets:1": { "policyDescription": "Credentials for server running on edge.", "operations": [ "aws.greengrass#GetSecretValue" ], "resources": [ "arn:aws:secretsmanager:us-east-1:<account-id>:secret:xxxxxxxxxx" ] } } } ``` However the end recipe of the component (in the deployment) does not display the `accessControl` (AWS Greengrass Console), so we assume it has not been *merge updated.* ``` ... "ComponentConfiguration": { "DefaultConfiguration": { "lambdaExecutionParameters": { "EnvironmentVariables": { "LOG_LEVEL": "DEBUG" } }, "containerParams": { "memorySize": 16384, "mountROSysfs": false, "volumes": {}, "devices": {} }, "containerMode": "NoContainer", "timeoutInSeconds": 30, "maxInstancesCount": 10, "inputPayloadEncodingType": "json", "maxQueueSize": 200, "pinned": false, "maxIdleTimeInSeconds": 30, "statusTimeoutInSeconds": 30, "pubsubTopics": { "0": { "topic": "dt/app/+/status/update", "type": "PUB_SUB" } } } }, ``` Any guidance here would be greatly appreciated! Thankslg...

Hi,I want to raise a ticket automatically in service now or any other tool when my glue job failed to run.this process need to be automated.can any one help.lg...

Hi, I'm developping a node js site in EB and inside i use Google API. For this i have a large private key ``` -----BEGIN PRIVATE KEY-----\nihriohioerhfierjfirejfi=\n-----END PRIVATE KEY-----\n ``` I tried to store it inside environment variable but it's limited with 256 characters. EC2 key pair value has the same size limit So my question is: Where do i have to store this key and how can i use it inside my node js app? I found this link but i'm not sure if it's the right way and it's not enough explain (https://docs.aws.amazon.com/elasticbeanstalk/latest/dg/https-storingprivatekeys.html) Thanks for your helplg...

I received information that Amazon EC2 Launch Configurations will Deprecate support for new Instances (https://aws.amazon.com/blogs/compute/amazon-ec2-auto-scaling-will-no-longer-add-support-for-new-ec2-features-to-launch-configurations/). When running inventory check I see that all Elastic Beanstalk clusters are using deprecated functionality but there is no migration path in documentation. How does the change impacts Elastic beanstalk users?lg...

When running a parallel cluster using a partition with c6g-medium ondemand machines, 19 of them failed during a run and never powered up again. My sinfo returns: PARTITION AVAIL TIMELIMIT NODES STATE NODELIST c6gm-ondemand up infinite 19 idle% c6gm-ondemand-dy-c6gmedium-[32-50] c6gm-ondemand up infinite 31 alloc c6gm-ondemand-dy-c6gmedium-[1-31] While sacct contains the following entries: 12033 2022_6_39+ c6gm-onde+ 1 NODE_FAIL 0:0 12034 2022_6_40+ c6gm-onde+ 1 NODE_FAIL 0:0 12037 2022_6_43+ c6gm-onde+ 1 NODE_FAIL 0:0 12039 2022_6_45+ c6gm-onde+ 1 NODE_FAIL 0:0 12040 2022_6_46+ c6gm-onde+ 1 NODE_FAIL 0:0 Does anyone know how I can figure out what caused these nodes to fail and never be booted up again? The other 31 ondemand nodes have been running similar task as the 19 failed nodes without problems. Also, is there any way to restart the 19 failed nodes somehow? I would really like to run 50 nodes in parallel, not 31. EDIT: my squeue contains hundreds more `PENDING` jobs to be run on nodes in this partition, so I'm a bit confused why the `idle%` nodes aren't being powered up again.lg...

I have added one TCP port in NLB for existing ASG instance, health check failing, request anyone please guide me what to check.lg...

The "Comparing Amazon Linux 2 and Amazon Linux 2022" page at https://docs.aws.amazon.com/linux/al2022/ug/compare-al2-to-AL2022.html says: > Amazon Linux 2022 optimizes boot time to reduce the time from instance launch to running the customer workload. As such, this would be great for GameLift usage as it takes quite a while to launch instances in my experience. However, when using the AWS CLI to upload a build, the output for the "--operating-system" parameter only allows AMAZON_LINUX, AMAZON_LINUX_2 (and windows). Why is this? When will Amazon Linux 2022 be available with GameLift?lg...

I deployed stable diffusion v2.0 by aws sagemaker, and create endpoint for real-time inference.(instance type is ml.g4dn.xlarge) Also, i used aws apigateway and aws lambda. my question is that concurrency of prediction process by invoked request. when i check cloudwatch log, i see that request is sequentially process.(one prediction finished, then next prediction proceeded) i expected that the requests are concurrently dealt with, but not. at real-time endpoint, there is no max concurrent options, then invokeendpoint always sequentially procedeed?? no way for making requests are parellely dealt with, except increase instance number?lg...

now Host Error website not open try to restart light sail but error not solve ip my address not ping what will dolg...

Customer reporting update service taking 15 to 20 mins to complete - Created on behalf of customer post https://github.com/aws/apprunner-roadmap/issues/147lg...

Unable to create app runner service, here is the App Runner service ARN - arn:aws:apprunner:eu-west-1:770785616967:service/website-app-deploy-test-envs/9b8c8ad1fa4a419f9960bac46f58b75a. Creating this onbehalf of the customer for github issue - https://github.com/aws/apprunner-roadmap/issues/110#issuecomment-1331809397lg...

There is an error that changes to "??" when I type Korean on the server. I wonder if the hosting server environment is UTF-8. It seems that the server doesn't accept Korean, so I want to know the solution. lg...

EC2 instance with cPanel & CentOS running when ran out of disk space. Using the volume modification option, I increased the size of the volume, but the ClearOS won't change its partitios automaticly, so system is stucked. How do I increase the partitios ofter a volume modification?lg...

Hello, I am using AWS Lightsail to host my website. Using Cloudflare DNS + WAF for protection. I am trying to whitelist the Cloudflare IPs on the AWS infra but after defining the ACL, the site becomes unreachable. When i remove the ACL, site is back online. I am making firewall rules for http and https. Am i missing anything? https://www.cloudflare.com/en-gb/ips/ 173.245.48.0/20 103.21.244.0/22 103.22.200.0/22 103.31.4.0/22 141.101.64.0/18 108.162.192.0/18 190.93.240.0/20 188.114.96.0/20 197.234.240.0/22 198.41.128.0/17 162.158.0.0/15 104.16.0.0/13 104.24.0.0/14 172.64.0.0/13 131.0.72.0/22 2400:cb00::/32 2606:4700::/32 2803:f800::/32 2405:b500::/32 2405:8100::/32 2a06:98c0::/29 2c0f:f248::/32lg...

Is there any way to use CloudWatch to monitor the number of active connections to a Lightsail/EC2 server? I know there's such an indicator for the Application Load Balancer, however, there's no load balancer in my infrastructure. The number of active web users/connections is one of the most popular indicators and we want to find out more about it. Thank you.lg...

Our infrastructure is in AWS. We use AWS Security Group to define inbound/outbound traffic rules. Our servers are ip restricted, as in only traffic from one particular ip is allowed as per the Security Group rule. Say, we have 2 EC2 apps that serve web traffic. And, as per the Security Group rule, only traffic from that one ip is allowed to these servers on port 80 and 443. We now need for these apps to communicate with each other, i.e. send each other HTTP requests. We want the 2 apps to communicate with each other internally because they belong to the same Public Subnet and VPC. If the communication is not internal, traffic from one app would reach the other app via the internet, and this would not be allowed by the existing Security Group rules. Is trying to keep the communication internal between the 2 apps the standard way? I need some guidance on how to best implement this idea.lg...