fedora-infrastructure

Clone
Source Code
GIT

#10264 AWS: serial console access for 'aws-copr'
Closed: Fixed with Explanation 3 years ago by praiskup. Opened 3 years ago by praiskup.

Closed: Fixed with Explanation
Reopen Issue

After Copr builder image updates, we can not boot Fedora 34 in AWS as i3.large. I was about to take a look at console output, but all our instances claim:

An error occurred
We were unable to determine whether you have access to the EC2 serial console. Choose Cancel and try again.

Seems like we don't have access to the console?
https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/configure-access-to-serial-console.html

Metadata Update from @humaton:
- Issue tagged with: ops, permissions
3 years ago

You should now have permissions to access EC2 serial console for resources tagged FedoraGroup: copr

I added ec2-instance-connect:SendSerialConsoleSSHPublicKey to the existing IAM policy for aws-copr.

I will close the ticket but please reopen if there is any issue.

Metadata Update from @mobrien:
- Issue close_status updated to: Fixed with Explanation
- Issue status updated to: Closed (was: Open)
3 years ago

I still get this:

An error occurred
We were unable to determine whether you have access to the EC2 serial console. Choose Cancel and try again.

On aws_aarch64_normal_dev_00052488_20211008_191832, instance i-09f564732536278b8.
Instance type a1.xlarge.

Metadata Update from @praiskup:
- Issue status updated to: Open (was: Closed)
3 years ago

Metadata Update from @kevin:
- Issue assigned to mobrien
- Issue priority set to: Waiting on Assignee (was: Needs Review)
3 years ago

I realized that I can share the image with our other account where we have the necessary permissions, but I realized that i3 instances don't support console access :-( So I at least filled this bug: https://bugzilla.redhat.com/show_bug.cgi?id=2013183

Nevermind, it would be nice to have the console access anyway, so I don't want to close this
issue (it is though not a burning issue, we have time).

The bug you are seeing might be this dracut bug: https://bugzilla.redhat.com/show_bug.cgi?id=2010058

@mobrien you still working on this?

I have adjusted the policy to ensure this access is now available to all instances tagged with the fedoragroup copr.

This is also region specific. It is currently set to enabled in us-east-1 and us-east-2

Do you mean FedoraGroup=copr tag? I'm afraid I still see

An error occurred
We were unable to determine whether you have access to the EC2 serial console. Choose Cancel and try again.

As the user aws-copr/praiskup

@praiskup would you be available to troubleshoot this on irc this week?

Definitely, feel free to ping me anytime you see me ... or schedule a meeting (gcal).

<mobrien> I think I may actually have this one fixed it was missing ec2:GetSerialConsoleAccessStatus although its not mentioned in the docs it is required
it seems to me it should be just read access to Cloudfront but its not clear. I have added the read only access for you to check so let me know and we can go from there

@mobrien fixed this now!

Metadata Update from @praiskup:
- Issue close_status updated to: Fixed
- Issue status updated to: Closed (was: Open)
3 years ago

This is now fixed and verified on irc by @praiskup

The issue was ec2:GetSerialConsoleAccessStatus is needed although its not mentioned in the docs https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/configure-access-to-serial-console.html

Metadata Update from @mobrien:
- Issue close_status updated to: Fixed with Explanation (was: Fixed)
3 years ago

Log in to comment on this ticket.

Metadata

ops permissions

None
None
Waiting on Assignee
Boards 1
ops Status: Backlog
Powered by Pagure 5.14.1
DocumentationFile an IssueAboutSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.