We were getting some weird error when trying to create a simple EMR cluster using an AWS admin account with all access that was recently created.
Terminated with errorsFailed to provision ec2 instances because 'IAM Instance Profile "arn:aws:iam::...:instance-profile/EMR_EC2_DefaultRole" has no associated IAM Roles (Service: AmazonEC2; Status Code: 400; Error Code: InvalidParameterValue; Request ID: ..)'
We have reported this to AWS, and still waiting for a decent reply (already got some canned response, which was useless). Let me know if you have encountered this before, and how did you resolve this.
In the mean time, we are trying to work-around this by allowing all EC2 actions and Elastic MapReduce actions to the admin account. Given below is the set of actions that we performed.
Go to:
https://console.aws.amazon.com/iam/home?region=us-west-2#policies
Select:
Create Your Own Policy
Give a name: emrAllPolicy
(any name is fine)
Description: Give all access to emr
(anything)
Policy Document:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Resource": "*",
"Action": [
"cloudwatch:*",
"dynamodb:*",
"ec2:*",
"elasticmapreduce:*",
"kinesis:CreateStream",
"kinesis:DeleteStream",
"kinesis:DescribeStream",
"kinesis:GetRecords",
"kinesis:GetShardIterator",
"kinesis:MergeShards",
"kinesis:PutRecord",
"kinesis:SplitShard",
"rds:Describe*",
"s3:*",
"sdb:*",
"sns:*",
"sqs:*"
]
}
]
}
Validate policy and create policy using the relevant options.
Once the above policy is created,
Go to:
https://console.aws.amazon.com/iam/home?region=us-west-2#roles/EMR_EC2_DefaultRole
Click attach policy, search for the policy you just created (if it does not show up, feel free to refresh your browser and retry from the attach policy step again).
Once you found the policy, click and attach it to the IAM instance profile (EMR_EC2_DefaultRole) above, using "Attach Policy" option.
Retry the failed operation.
You may also use the IAM Policy Simulator (by using Simulate Policy option) to simulate all the actions in relevant services to confirm that they are successful in performing those actions, quickly.
This is a related read.
Terminated with errorsFailed to provision ec2 instances because 'IAM Instance Profile "arn:aws:iam::...:instance-profile/EMR_EC2_DefaultRole" has no associated IAM Roles (Service: AmazonEC2; Status Code: 400; Error Code: InvalidParameterValue; Request ID: ..)'
We have reported this to AWS, and still waiting for a decent reply (already got some canned response, which was useless). Let me know if you have encountered this before, and how did you resolve this.
In the mean time, we are trying to work-around this by allowing all EC2 actions and Elastic MapReduce actions to the admin account. Given below is the set of actions that we performed.
Go to:
https://console.aws.amazon.com/iam/home?region=us-west-2#policies
Select:
Create Your Own Policy
Give a name: emrAllPolicy
(any name is fine)
Description: Give all access to emr
(anything)
Policy Document:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Resource": "*",
"Action": [
"cloudwatch:*",
"dynamodb:*",
"ec2:*",
"elasticmapreduce:*",
"kinesis:CreateStream",
"kinesis:DeleteStream",
"kinesis:DescribeStream",
"kinesis:GetRecords",
"kinesis:GetShardIterator",
"kinesis:MergeShards",
"kinesis:PutRecord",
"kinesis:SplitShard",
"rds:Describe*",
"s3:*",
"sdb:*",
"sns:*",
"sqs:*"
]
}
]
}
Validate policy and create policy using the relevant options.
Once the above policy is created,
Go to:
https://console.aws.amazon.com/iam/home?region=us-west-2#roles/EMR_EC2_DefaultRole
Click attach policy, search for the policy you just created (if it does not show up, feel free to refresh your browser and retry from the attach policy step again).
Once you found the policy, click and attach it to the IAM instance profile (EMR_EC2_DefaultRole) above, using "Attach Policy" option.
Retry the failed operation.
You may also use the IAM Policy Simulator (by using Simulate Policy option) to simulate all the actions in relevant services to confirm that they are successful in performing those actions, quickly.
This is a related read.
No comments:
Post a Comment
You are welcome to provide your opinions in the comments. Spam comments and comments with random links will be deleted.