I have started my Panorama journey with a Lenova ThinkEdge SE70; my region: ca-central-1
I want to launch the EC2 env using the: 'Test Utility environment setup' in aws-samples, in my region: ca-central-1:
- Test Utility
- I have copied the CloudFormation (CF) template from the us-east-1 launch stack to my local workstation, honored the listed pre-requisites from that github page, and modified template to include my subscription entry for ARM machine image; validate via aws cli, and create , etc ...
-
aws cloudformation validate-template --template-body file://./panorama-starter-kit-mod-cac1.yaml
-
aws cloudformation create-stack --region ca-central-1 --template-body file://.//panorama-starter-kit-mod-cac1.yaml --stack-name mxr-panorama-arm-ec2-instance-cac1 --capabilities CAPABILITY_NAMED_IAM
- switch to aws console to monitor events in the launch, 2 failures follow:
- occurs 1st Did not have IAM permissions to process tags on AWS::EC2::Instance resource
- occurs 2nd API: ec2:RunInstances You are not authorized to perform this operation. Encoded authorization failure message:
- I am running as admin, and my tag & resource run policy/permissions, as suggested by other posts, are wildcarded;
- there are re:Post links with similar tag permission failures:
Any Panorama environment guidance would be appreciated. I am a noob, but am confused as to why a CF template which is part of AWS Panorama support utility would fail in this tag workaround fashion. As a noob, I do not have CF expertise either. I have looked for a more prescriptive AWS Panorama workshop (similar to the IoT Core workshops with CF templates), but have not found any. I would like to use the 'Test Utility' to remote into my Panorama SE70 appliance, etc.
Maybe the sentiment for going forward is: " ... yah, the Panorama Test Utility CF template needs a workaround - therefore, build out your ARM EC2 instance manually, etc"
I added the LaunchTemplete entries as suggested in the rePost above to my current template, but do not quite understand the rationale. This is my template:
AWSTemplateFormatVersion: '2010-09-09'
Description: EC2 instance
Parameters:
KeyName:
Description: Name of an existing EC2 KeyPair to enable SSH access to the instance
Type: AWS::EC2::KeyPair::KeyName
ConstraintDescription: must be the name of an existing EC2 KeyPair.
Default: mxr-panorama-stack-ec2
InstanceType:
Description: WebServer EC2 instance type
Type: String
Default: t4g.2xlarge
AllowedValues:
- t4g.2xlarge
- t4g.micro
- t4g.xlarge
SSHLocation:
Description: The IP address range that can be used to SSH to the EC2 instances
Type: String
MinLength: 9
MaxLength: 18
Default: 0.0.0.0/0
AllowedPattern: (\d{1,3})\.(\d{1,3})\.(\d{1,3})\.(\d{1,3})/(\d{1,2})
ConstraintDescription: must be a valid IP CIDR range of the form x.x.x.x/x.
Mappings:
RegionMap:
ca-central-1:
id: ami-00364bfa0dbeb5e09
us-east-1:
id: ami-01747bf371bd30817
us-east-2:
id: ami-01747bf371bd30817
us-west-2:
id: ami-0a8e148ec03558c68
eu-central-1:
id: ami-01747bf371bd30817
eu-west-1:
id: ami-01747bf371bd30817
ap-northeast-1:
id: ami-01747bf371bd30817
Resources:
ec2Instance:
Type: AWS::EC2::Instance
Properties:
LaunchTemplate:
LaunchTemplateId: !Ref RequiredTagsLaunchTemplate
Version: 1
InstanceType: !Ref InstanceType
SecurityGroups: [!Ref 'ec2SecurityGroup']
KeyName: !Ref KeyName
ImageId: !FindInMap
- RegionMap
- !Ref AWS::Region
- id
IamInstanceProfile: !Ref ec2InstanceProfile
BlockDeviceMappings:
- DeviceName: /dev/sda1
Ebs:
VolumeSize: 500
UserData:
Fn::Base64: !Sub |
#!/bin/bash -xe
HOME=/home/ubuntu
echo $HOME > $HOME/user_data.txt
apt -y update && apt -y upgrade
apt-get -y install wget build-essential checkinstall
apt-get install -y libreadline-gplv2-dev libncursesw5-dev libssl-dev \
libsqlite3-dev tk-dev libgdbm-dev libc6-dev libbz2-dev libffi-dev zlib1g-dev
apt-get install python3-dev python3-pip python3-numpy -y
... etc ...
jupyter notebook --generate-config
... etc ...
apt install docker.io -y
aws ecr get-login-password --region us-west-2 | docker login --username AWS --password-stdin 500245141608.dkr.ecr.us-west-2.amazonaws.com
echo "INSTALLATION COMPLETE" > $HOME/INSTALLATION_COMPLETE.txt
RequiredTagsLaunchTemplate:
Type: 'AWS::EC2::LaunchTemplate'
Properties:
LaunchTemplateData:
TagSpecifications:
- ResourceType: volume
Tags:
- Key: Env
Value: Dev
ec2SecurityGroup:
Type: AWS::EC2::SecurityGroup
Properties:
GroupDescription: Enable SSH access via port 22
SecurityGroupIngress:
- IpProtocol: "tcp"
CidrIp: "0.0.0.0/0"
FromPort: "22"
ToPort: "22"
- IpProtocol: "tcp"
CidrIp: "0.0.0.0/0"
FromPort: "8888"
ToPort: "8888"
ec2Role:
Type: AWS::IAM::Role
Properties:
ManagedPolicyArns:
- arn:aws:iam::aws:policy/AmazonS3FullAccess
- arn:aws:iam::aws:policy/CloudWatchAgentAdminPolicy
- arn:aws:iam::aws:policy/AWSCloudFormationReadOnlyAccess
- arn:aws:iam::aws:policy/AmazonSageMakerFullAccess
- arn:aws:iam::aws:policy/AmazonRekognitionFullAccess
- arn:aws:iam::aws:policy/IAMFullAccess
- arn:aws:iam::aws:policy/AWSPanoramaFullAccess
AssumeRolePolicyDocument: |
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"sts:AssumeRole"
],
"Effect": "Allow",
"Principal": {
"Service": [
"ec2.amazonaws.com",
"s3.amazonaws.com",
"cloudwatch-crossaccount.amazonaws.com",
"cloudformation.amazonaws.com",
"member.org.stacksets.cloudformation.amazonaws.com",
"sagemaker.amazonaws.com",
"rekognition.amazonaws.com",
"iam.amazonaws.com",
"panorama.amazonaws.com"
]
}
}
]
}
ec2InstanceProfile:
Type: AWS::IAM::InstanceProfile
Properties:
Path: /
Roles:
- !Ref ec2Role
Outputs:
publicName:
Description: Public DNSName of the EC2 instance
Value: !GetAtt [ec2Instance, PublicDnsName]
publicIp:
Description: Public IP address of the EC2 instance
Value: !GetAtt [ec2Instance, PublicIp]
Thanks for your suggestions. I decoded the message, but it does not tell me anything new: "admin-user" does not have permission to perform the ec2:RunInstances action on the arn:aws:ec2:ca-central-1:208598130076:volume/*. This admin-user has been set up with wild-card role/policy during debug, on the services used (ec2, cloudformation, admin permissions, etc.).
I am able to launch the ARM AMI subscription ec2 in my region using the console wizard.
Are others aware of a low friction path to setting up a Panorama virtual environment? The purpose of the template above is to set up a Jupyter notebook environment on an ARM ec2. Any suggestions from Jupyter experts?