1

Deployment of Controller in AWS [LAB] Fails

I have spent probably 5 hours on trying to get a controller deployed into AWS. Using the information here:https://docs.aviatrix.com/StartUpGuides/aviatrix-cloud-controller-startup-guide.html

After the first time I attempted it, I am to log into the controller and reset the password. I, then, failed to add my AWS account using the wizard from the first screen. 

The error message tells me the role "aviatrix-role-ec2" is not assigned and go to the link above and re-run the cloudformation. 

I have attempted to run this. However, when I am setting up template to deploy the system through Cloud formation is failed because the role "aviatrix-role-ec2" exists. However, if I go to IAM, it is NOT there, but for some reason, on the Cloudformation Stack Step 2: IAM role creation, it is listed. Yes, I've tried to use and it still failed.

So I think I have the following two options:

1) figure out how to remove the 'ghosting' IAM role

2) figure out how to manually configure everything to work with the instance.

There doesn't seem to be anyway to manually deploy or delete the settings for the controller in case there was something wrong when running Cloudformation.

===============

Thanks everyone for the help. Here's the way I went about to fix it:

I setup an Amazon Linux 2 VM in VMware Workstation

- Info: https://aws.amazon.com/amazon-linux-2/

- Download: https://cdn.amazonlinux.com/os-images/2.0.20200602.0/vmware/

After importing the VM, you need to fix the passwords and SSH configuration. I followed Shehu Awwal's blog: https://medium.com/shehuawwal/download-and-run-amazon-linux-2-ami-locally-on-your-virtualbox-or-vmware-b554a98dcb1c

Then, you need to create a user at the IAM console (https://console.aws.amazon.com/iam) - Guide: https://docs.aws.amazon.com/cli/latest/userguide/cli-chap-configure.html

You need to create a Policy with the "iam:DeleteInstanceProfile" action assigned to the above user created in the previous step.

After that, you can follow AWS Guide to deleting IAM Roles: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_manage_delete.html#id_roles_manage_delete_slr

Specifically, I removed the Instance role: "aviatrix-role-ec2"

Re-ran the Cloudformation script and it completed without error.

11replies Oldest first
  • Oldest first
  • Newest first
  • Active threads
  • Popular
  • Are you still able to loing to the Aviatrix Controller? If you do, then we can probably fix it without re-deploying or re-running the Cloud Formation.

    Like
    • Shahzad Ali I can log into the Controller but just can't attach my AWS account. I will probably try Aaron Foltz idea and just use the AWS cli to remove the role that way. It just strange it lets me delete the item from the IAM dashboard but doesn't completely remove it.

      Like
  • "aviatrix-role-ec2" needs to be removed via AWSCli if you wish to rerun the CloudFormation Template.

    Like
    • Aaron Foltz You know I was considering that. Why does it do that? I mean if you go to IAM Roles and remove it, shouldn't it also remove it without the cli?

      Like
      • Aaron Foltz
      • Sr. Cloud Architect
      • Aaron_Foltz
      • 2 mths ago
      • 3
      • Reported - view

      Jesse Spangenberger It's not the Role that is hanging around, it is the InstanceProfile. You can not remove those via the Portal, you must use the CLI. https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_manage_delete.html

      Like 3
    • Jesse Spangenberger Ran into this with a customer the other day as well. It seems to be an AWS bug where the role is stuck, but not seen in the console. CLI fixed it.   Let us know if we can assist with the deployment again, I am sure any one of us here would be happy to jump on a call with you and be there to help launch it. 

      Like
    • Dana Yanch You know: I was guess it might be. I just haven't had a chance to work with it yet. Just finished up another cert this morning and plan on taking this on Friday. Thanks for the info.

      Like
    • Dana Yanch Also, this probably should be noted on the page regarding the deployment!

      Like
    • Jesse Spangenberger You are right. I will talk to the doc team about this.   Good luck with the cert. Let me know if you need anything. 

      Like 1
    • Aaron Foltz Good information. 

      Like 1
  • Hi Jesse, I believe I ran into the same issue recently. If I remember correctly I solved it by adding the IAM role manually.

    Like 1
Like1 Follow
  • Status Answered
  • 1 Likes
  • 2 mths agoLast active
  • 11Replies
  • 74Views
  • 6 Following