Error while using aws dynamic host catalog plugin

purushothamkdr453 · January 25, 2022, 3:43pm

Hi All,

I am trying to use aws dynamic host catalog plugin which is here GitHub - hashicorp/boundary-plugin-host-aws: Boundary Host Plugin (AWS). However I am getting an error while using this plugin. executed commands are as below.

Bounday dev server:

boundary dev

Creating Hostcatalog plugin

boundary host-catalogs create plugin -scope-id p_1234567890 -plugin-name aws -name “Example Plugin-Based Host Catalog” -description “Description for plugin-based host catalog” -attr disable_credential_rotation=true -attr region=us-west-1 -secret access_key_id= -secret secret_access_key=

Error

Error from controller when performing create on plugin-type host catalog

Error information:
Kind: Internal
Message: host_catalogs.(Service).createPluginInRepo: unable to create host catalog: plugin.(Repository).CreateCatalog: in
scope: p_1234567890: db.DoTx: plugin.(Repository).CreateCatalog: unknown, unknown: error #0: rpc error: code = Unknown desc = error during
credential validation: error validating credentials: RequestError: send request failed
caused by: Post “https://sts.amazonaws.com/”: context deadline exceeded (Client.Timeout exceeded while awaiting headers)
Status: 500
context: Error from controller when performing create on plugin-type host catalog

Following are the boundary versions used

Boundary Cli - 0.7.3
Boundary server - 0.7.3

omkensey · January 25, 2022, 7:40pm

I see an AWS credential error in there – at first glance it looks like Boundary was not able to use the AWS credentials being used to configure the plugin. My first thought is, is this in a private VPC subnet that can’t access the usual AWS endpoints? If you SSH to an instance in that subnet and curl -L https://sts.amazonaws.com/ do you get any response at all (even an error?)

purushothamkdr453 · January 26, 2022, 6:50pm

I am getting a different error now.

Error from controller when performing create on plugin-type host catalog

Error information:
Kind: NotFound
Message: Resource not found.
Status: 404
context: Error from controller when performing create on plugin-type host catalog

omkensey · January 26, 2022, 7:35pm

Can you copy and paste what you’re doing up to that point? It sounds like maybe the project scope ID you’re giving it doesn’t exist.

purushothamkdr453 · January 27, 2022, 3:49am

Here are the detailed commands/instructions which I had followed.

Started Boundary in Devmode

boundary dev

Created AWS EC2 Instance

Created aws ec2 t2.micro instance.

**Created IAM Policy **

Iam policy has been created with the following permissions.

{
“Version”: “2012-10-17”,
“Statement”: [
{
“Action”: [
“ec2:DescribeInstances”
],
“Effect”: “Allow”,
“Resource”: “*”
}
]
}

Created IAM User with the above created policy

New IAM user(programatic access) has been created by attaching the above created policy.
Got the Accesskeyid, Secretkeyid.

Authenticate with boundary

Authenticated with boundary using the below command.

boundary authenticate password -auth-method-id ampw_1234567890 -login-name admin -password password

Error while creating aws hostcatalog plugin

boundary host-catalogs create plugin -scope-id p_1234567890 -plugin-name aws -name “Example Plugin-Based Host Catalog” -description “Description for plugin-based host catalog” -attr disable_credential_rotation=true -attr region=us-west-1 -secret access_key_id=redacted -secret secret_access_key=redacted

Error is:

Error from controller when performing create on plugin-type host catalog

Error information:
Kind: Internal
Message: host_catalogs.(Service).createPluginInRepo: unable to create host catalog:
plugin.(Repository).CreateCatalog: in scope: p_1234567890: db.DoTx: plugin.(Repository).CreateCatalog: unknown, unknown: error
#0: rpc error: code = Unknown desc = error during credential validation: error validating credentials: RequestError: send
request failed
caused by: Post “https://sts.amazonaws.com/”: context deadline exceeded (Client.Timeout exceeded while awaiting headers)
Status: 500
context: Error from controller when performing create on plugin-type host catalo

omkensey · January 27, 2022, 4:29pm

Hm. I’m not sure this is why you’re getting the timeout error, but I can at least say you need some additional IAM permissions for your IAM user you create for the plugin. You need an IAM user with at least these permissions:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": [
        "ec2:DescribeInstances"
      ],
      "Effect": "Allow",
      "Resource": "*"
    },
    {
      "Action": [
        "iam:DeleteAccessKey",
        "iam:GetUser",
        "iam:CreateAccessKey"
      ],
      "Effect": "Allow",
      "Resource": "[the ARN of your IAM user]"
    }
  ]
}

I think you’re missing those IAM permissions in the second statement.

purushothamkdr453 · January 28, 2022, 7:27am

I tried the same set of commands on EC2 Instance(Created One) then it worked. So probably in my local system few problems are occurring due to org vpn or proxy. Not sure exactly what is the root cause. Thanks a lot for your response.