19 messages
Discussion related to Amazon Web Services (AWS)
Archive: https://archive.sweetops.com/aws/
Sean Turneralmost 2 years ago(edited)
Do yall use Pod Security Groups with EKS? Have you ever noticed and issue where two Pods with the same Security Group are unable to communicate?
I encountered this previously I believe with a Jupyterhub deployment on EKS, and now seem to be encountering it with a Retool deployment.
I have a self referencing rule in place. Perhaps I need to also open HTTP from the EKS Node Security Group? Perhaps any sort of traffic needs to be opened on the Node Security Group.
Now that I think about it a hybrid Pod Security Group + Network Policy would probably be best. Use the Pod Security Group to secure access to RDS, use Network Policies to control everything else
I encountered this previously I believe with a Jupyterhub deployment on EKS, and now seem to be encountering it with a Retool deployment.
I have a self referencing rule in place. Perhaps I need to also open HTTP from the EKS Node Security Group? Perhaps any sort of traffic needs to be opened on the Node Security Group.
Now that I think about it a hybrid Pod Security Group + Network Policy would probably be best. Use the Pod Security Group to secure access to RDS, use Network Policies to control everything else
Maarten van der Hoefalmost 2 years ago
Just came accoss this: https://github.com/basti-app/basti , nice one. Instant SSM Forwarding.
Basti _(from Bastion Host)_ is a CLI tool for securely accessing your DB instances and other AWS resources in private networks at almost no cost.
Basti _(from Bastion Host)_ is a CLI tool for securely accessing your DB instances and other AWS resources in private networks at almost no cost.
Ryanalmost 2 years ago
man I did not know you could backend cloudwatch dashboards with html and lambda, TIL
RBalmost 2 years ago
What is the best way to define aws sso role names and permissions/responsibilities?
Should it be team based, role based, account-based, or a mixture? Looking for some prior art on this and having trouble finding good blog posts.
Should it be team based, role based, account-based, or a mixture? Looking for some prior art on this and having trouble finding good blog posts.
Matt Gowiealmost 2 years ago
Does anyone here know of any open-source (or paid even) connector Lambda project to take items off of an SQS queue and put them into a bucket on S3?
Harialmost 2 years ago
Hi, I have Lambda function with python code, which takes an event and runs, but there are couple of funtions that needs to run everyday, can i still use one lambda to do both tasks or split to two different lambdas, one for event based and other for daily run?
mikoalmost 2 years ago(edited)
(Resolved, thanks @Adi)
He guys, I am following this tutorial API Gateway + AWS EKS but
He guys, I am following this tutorial API Gateway + AWS EKS but
helm chart pull is deprecated so I went with helm pull public.ecr.aws/aws-controllers-k8s/chart:apigatewayv2-v0.0.2 but I am getting this error Error: public.ecr.aws/aws-controllers-k8s/chart:v0.0.2: not found , I have been searching for answers online but can't find anything, my apologies--I am really new to all of this and AWS EKS making my life hell at the moment 😞mikoalmost 2 years ago(edited)
Hey guys, I am following this tutorial API Gateway + AWS EKS but I get error trying to run this command (I've been searching the internet for days and I'm still far from finishing this 😢):
I get this error:
I've tried modifying the
But I'm still getting error, am not really sure what I'm doing wrong, I'm really new to this and super noob at it.
$ helm install \
$ --namespace kube-system \
$ ack-$SERVICE-controller \
$ $CHART_REPO/$SERVICE-chart \
$ --version=$RELEASE_VERSION \
$ --set=aws.region=$AGW_AWS_REGIONI get this error:
Error: INSTALLATION FAILED: rendered manifests contain a resource that already exists. Unable to continue with install: ServiceAccount "ack-apigatewayv2-controller" in namespace "kube-system" exists and cannot be imported into the current release: invalid ownership metadata; label validation error: key "app.kubernetes.io/managed-by" must equal "Helm": current value is "eksctl"; annotation validation error: missing key "meta.helm.sh/release-name": must be set to "ack-apigatewayv2-controller"; annotation validation error: missing key "meta.helm.sh/release-namespace": must be set to "kube-system"I've tried modifying the
ServiceAccount to use Helm instead of eksctl but to no avail:apiVersion: v1
kind: ServiceAccount
metadata:
annotations:
eks.amazonaws.com/role-arn: arn:aws:iam::************:role/*****-addon-iamserviceaccoun-Role1-************
creationTimestamp: "2024-04-11T03:59:39Z"
labels:
app.kubernetes.io/managed-by: Helm
name: ack-apigatewayv2-controller
namespace: kube-system
resourceVersion: "4654570"
uid: ********-****-****-****-************But I'm still getting error, am not really sure what I'm doing wrong, I'm really new to this and super noob at it.
RBalmost 2 years ago
What is a good SCP for the
identity account ? Is it only iam roles that belong here so perhaps ?mikoalmost 2 years ago
Hey guys, I'm currently using AWS API Gateway and need to check if user have enough permission (JWT scope), all the tutorials that I've seen so far was using either Lambda or AWS Cognito but in my case I have an Authorization API that check for user permission. Now I'm thinking of using Lambda and from there call my Authorization API to check if user have enough permission, is there other optimal way of doing this?
Frankalmost 2 years ago
For those using AWS SSO (Identity Center) and manage multiple AWS Orgs (e.g. from customers): How do you arrange access to those? Just by assuming IAM roles in those accounts or is there a better method?
TechHippiealmost 2 years ago
Hello All - Is there a way to get the entire OU path for a aws account using boto3?
jonjitsualmost 2 years ago
In regards to using amazonMQ with lambdas is it better to allow it to drive the lambdas or would it be better to forward the messages to SQS that can better drive lambdas (at least there would be concurrency). Also anyone have experience using amazonMQ as a way to get messages from an on prem rabbitmq (either federated with it or by configuring on prem to use shovel plugin to send messages to amazonMQ).
Prasanthalmost 2 years ago
👋 Hello, team!
Prasanthalmost 2 years ago
Hi All,
I am unable to publish the code version using AWS CodeArtifact. Can you assist me with this?
I am unable to publish the code version using AWS CodeArtifact. Can you assist me with this?
Juan Pablo Lorieralmost 2 years ago
Hi, I've being using the ecs modules for a while but lately, something changed and if I add a permission or modify a cluster, terraform is redeploying all the services. Is there a way I can track the reason behind this?
It's pointing that the json task definition changed, while it didn't. Also modifying the permissions created by the modules
It's pointing that the json task definition changed, while it didn't. Also modifying the permissions created by the modules
mikoalmost 2 years ago(edited)
Status: CLOSED
Has anyone here ever used peering to establish MongoDB connection within their AWS EKS cluster before? I've created an AWS EKS cluster with VPC private/public subnets, I have contained my RESTful APIs in the private subnet and exposed my frontend clients in the public subnet and now I have to allow my RESTful APIs contained inside the private subnet to establish connection with MongoDB via peering connections but I can't get it to work even though I've already supplied my VPC's id and region and region of my MongoDB instance. However when I use my default VPC as peering I was able to establish connection inside of my EC2 that is using the default VPC.
Has anyone here ever used peering to establish MongoDB connection within their AWS EKS cluster before? I've created an AWS EKS cluster with VPC private/public subnets, I have contained my RESTful APIs in the private subnet and exposed my frontend clients in the public subnet and now I have to allow my RESTful APIs contained inside the private subnet to establish connection with MongoDB via peering connections but I can't get it to work even though I've already supplied my VPC's id and region and region of my MongoDB instance. However when I use my default VPC as peering I was able to establish connection inside of my EC2 that is using the default VPC.
Balazs Vargaalmost 2 years ago
hello all, we use spot instances in our kube cluster… we have termination handler that checks the rebalance recommendation signal. Is that safe if I wait only for the 2 minutes signal ?
Balazs Vargaalmost 2 years ago
my transit gateway ID contains tgw- when I would like to add a route do I need to remove the tgw part? the create-route accepts only rtb…