Hi all,
I'm trying to deploy EC2 servers using salt-cloud. But I'm getting an error when I do. This is the error that I'm seeing:
[root@salt salt]# salt-cloud -p ec2_private_win_r3.xlarge server00009
[ERROR ] AWS Response Status Code and Error: [401 401 Client Error: Unauthorized] {'Errors': {'Error': {'Message': 'AWS was not able to validate the provided access credentials', 'Code': 'AuthFailure'}}, 'RequestID': '33b43015-518e-4865-88e7-b6432e61b0db'}
[ERROR ] AWS Response Status Code and Error: [401 401 Client Error: Unauthorized] {'Errors': {'Error': {'Message': 'AWS was not able to validate the provided access credentials', 'Code': 'AuthFailure'}}, 'RequestID': '4b88b080-ad32-4388-a133-4322b1c08c04'}
[ERROR ] There was a profile error: 'NoneType' object has no attribute 'copy'
I’ve verified the AWS keys that I’m using and I’m able to list and even launch new instances using the aws command line with the keys that I’m using in the cloud provider file:
aws ec2 run-instances --image-id ami-xxxxxx --count 1 --instance-type c4.large --key-name company-timd --security-group-ids sg-xxxxx --subnet-id subnet-xxxxx --profile=company-npgovcloud
615531451610 r-036342b377d062086
INSTANCES 0 x86_64 False xen ami-e0daeff7 i-0017b45abfed0001e c4.large company-timd 2017-06-15T20:04:53.000Z
ip-10-4-137-7.us.kworld.kpmg.com 10.4.137.7 /dev/xvda ebs True subnet-xxxx hvm vpc-xxxxx
MONITORING disabled
NETWORKINTERFACES 0e:b0:18:f1:2f:a8 eni-xxxx 615531451610 10.4.137.7 True in-use subnet-3a7a5361 vpc-16532f70
ATTACHMENT 2017-06-15T20:04:53.000Z eni-attach-41df4a4d True 0 attaching
GROUPS sg-xxxxx npgovapp1-sg-default
PRIVATEIPADDRESSES True 10.4.137.7
PLACEMENT us-east-1c default
SECURITYGROUPS xxxxx npgovapp1-sg-default
STATE 0 pending
STATEREASON pending pending
This is my cloud provider definition that uses the same keys:
company-govcloud-nonprod-us-east-1:
# Set up the location of the salt master
minion:
master: 10.0.2.15
# Set up grains information, which will be common for all nodes
# using this driver
grains:
node_type: broker
# Valid options are:
# private_ips - The salt-cloud command is run inside the EC2
# public_ips - The salt-cloud command is run outside of EC2
#
ssh_interface: private_ips
# Optionally configure the Windows credential validation number of
# t-tdetries and delay between retries. This defaults to 10 retries
# with a one second delay betdwee retries
win_deploy_auth_retries: 10
win_deploy_auth_retry_delay: 1
# Set the EC2 access credentials (see below)
id: 'AKIAIATLQ4FTDDA6BV7A'
key: 'asdfasdsfadsadasasdafadsadfafasdasda’
# Make sure this key is owned by root with permissions 0400.
#
private_key: /etc/salt/company-timd
keyname: company-timd
#securitygroup: core-sg-default
# Optionally configure default region
# Use salt-cloud --list-locations <driver> to obtain valid regions
#
location: us-east-1
availability_zone: us-east-1c
# Configure which user to use to run the deploy script. This setting is
# dependent upon the AMI that is used to deploy. It is usually safer to
# configure this individually in a profile, than globally. Typical users
# are:
# Amazon Linux -> ec2-user
# RHEL -> ec2-user
# CentOS -> ec2-user
# Ubuntu -> ubuntu
#
ssh_username: root
# Optionally add an IAM profile
#iam_profile: 'arn:aws:iam::xxxxxxxxxxxx:role/rl-company-admin'
driver: ec2
And this is the profile that I’m trying to use:
## Windows Server 2012 Alteryx & Tableau
ec2_private_win_r3.xlarge:
provider: company-govcloud-nonprod-us-east-1
image: ami-xxxxxxx
size: r3.xlarge
network_interfaces:
- DeviceIndex: 0
SubnetId: subnet-xxxxxxx
SecurityGroupId: sg-xxxxxx
PrivateIpAddresses:
- Primary: True
AssociatePublicIpAddress: False
block_device_mappings:
- DeviceName: /dev/sda1
Ebs.VolumeSize: 120
Ebs.VolumeType: gp2
- DeviceName: /dev/sdf
Ebs.VolumeSize: 250
Ebs.VolumeType: gp2
tag: {'Engagement': '999999999999', 'Owner': 'Tim', 'Name': 'non-production', 'Environment': 'COMPANY-Grouper'}
I tried commenting out the IAM profile in the cloud provider definition. I’ve checked and the AWS credentials I’m using has administrator access in IAM.
I think the problem might have to do with specifying the ec2 driver in the cloud provider definition.
I've put the debug output into this gist:
I'd like some advice on how to get past this problem.
Thanks,
Tim
--