Chef cookbook tutorial: What AWS permissions are needed to run this cookbook?


(Dan Testa) #1

Hi,

I am following the elasticsearch chef cookbook tutorial here:
http://www.elasticsearch.org/tutorials/deploying-elasticsearch-with-chef-solo/

I am getting stuck on this step:

time ssh -t $SSH_OPTIONS $HOST "sudo chef-solo --node-name elasticsearch-test-1 -j /tmp/node.json"

Here is the error I am getting. It seems that my AWS key is lacking the
necessary permissions to create an EBS volume. I added "ec2:CreateVolume"
and "ec2:AttachVolume" to no avail. I cannot find any info on what
permissions I need to run this. Can anyone point me to this info?

[testadadmin@uspetddebspoc01 elasticsearch-test]$ time ssh -t $SSH_OPTIONS
$HOST "sudo chef-solo --node-name elasticsearch-test-1 -j /tmp/node.json"
Warning: Permanently added
'ec2-23-20-247-88.compute-1.amazonaws.com,23.20.247.88' (RSA) to the list
of known hosts.
Starting Chef Client, version 11.6.0
Compiling Cookbooks...
Recipe: elasticsearch::ebs

  • package[gcc] action upgrade (up to date)

  • package[gcc-c++] action upgrade (up to date)

  • package[make] action upgrade (up to date)

  • package[libxslt-devel] action upgrade (up to date)

  • package[libxml2-devel] action upgrade (up to date)

  • chef_gem[fog] action install (up to date)
    [2014-03-20T18:29:18+00:00] WARN: Cloning resource attributes for
    directory[/usr/local/var/data/elasticsearch/disk1] from prior resource
    (CHEF-3694)
    [2014-03-20T18:29:18+00:00] WARN: Previous
    directory[/usr/local/var/data/elasticsearch/disk1]:
    /var/chef-solo/cookbooks/elasticsearch/recipes/data.rb:16:in block in from_file' [2014-03-20T18:29:18+00:00] WARN: Current directory[/usr/local/var/data/elasticsearch/disk1]: /var/chef-solo/cookbooks/elasticsearch/recipes/data.rb:39:inblock in
    from_file'
    Converging 50 resources
    Recipe: monit::default

  • package[monit] action install (up to date)

  • service[monit] action start (up to date)

  • template[/etc/monit/monitrc] action create (up to date)
    Recipe: elasticsearch::curl

  • package[curl] action install (up to date)
    Recipe: ark::default

  • package[unzip] action install (up to date)

  • package[libtool] action install (up to date)

  • package[autoconf] action install (up to date)
    Recipe: elasticsearch::default

  • group[elasticsearch] action create (up to date)

  • user[elasticsearch] action create (up to date)

  • bash[remove the elasticsearch user home] action run (skipped due to
    not_if)

  • directory[/usr/local/etc/elasticsearch] action create (up to date)

  • directory[/usr/local/var/log/elasticsearch] action create (up to date)

  • directory[/usr/local/var/run] action create (up to date)

  • directory[/usr/local/var/data/elasticsearch] action create (up to date)

  • template[/etc/init.d/elasticsearch] action create (up to date)

  • service[elasticsearch] action enable (up to date)

  • ark[elasticsearch] action install (skipped due to not_if)

  • bash[enable user limits] action run (skipped due to not_if)

  • log[increase limits for the elasticsearch user] action write

  • file[/etc/security/limits.d/10-elasticsearch.conf] action create (up to
    date)

  • template[elasticsearch-env.sh] action create (up to date)

  • template[elasticsearch.yml] action create (up to date)

  • template[logging.yml] action create (up to date)
    Recipe: elasticsearch::plugins

  • directory[/usr/local/elasticsearch-0.90.12/plugins/] action create (up
    to date)

  • ruby_block[Install plugin: karmi/elasticsearch-paramedic] action run
    (skipped due to not_if)
    Recipe: elasticsearch::ebs

  • package[gcc] action nothing (skipped due to action :nothing)

  • package[gcc-c++] action nothing (skipped due to action :nothing)

  • package[make] action nothing (skipped due to action :nothing)

  • package[libxslt-devel] action nothing (skipped due to action :nothing)

  • package[libxml2-devel] action nothing (skipped due to action :nothing)

  • chef_gem[fog] action install (up to date)

  • ruby_block[Create EBS volume on /dev/sda2 (size: 25GB)] action run
    ================================================================================
    Error executing action run on resource 'ruby_block[Create EBS volume on
    /dev/sda2 (size: 25GB)]'
    ================================================================================

Fog::Compute::AWS::Error

UnauthorizedOperation => You are not authorized to perform this operation.

Cookbook Trace:

/var/chef-solo/cookbooks/elasticsearch/libraries/create_ebs.rb:41:in `block
(2 levels) in create_ebs'

Resource Declaration:

In /var/chef-solo/cookbooks/elasticsearch/libraries/create_ebs.rb

16: ruby_block "Create EBS volume on #{device} (size:
#{params[:ebs][:size]}GB)" do
17:
18: block do
19: require 'fog'
20: require 'open-uri'
21:
22: region = params[:region] ||
node.elasticsearch[:cloud][:aws][:region]
23: instance_id =
open('http://169.254.169.254/latest/meta-data/instance-id'){|f| f.gets}
24: raise "[!] Cannot get instance id from AWS meta-data API"
unless instance_id
25:
26: Chef::Log.debug("Region: #{region}, instance ID:
#{instance_id}")
27:
28: fog_options = { :provider => 'AWS', :region => region }
29: if (access_key =
node.elasticsearch[:cloud][:aws][:access_key]) &&
30: (secret_key =
node.elasticsearch[:cloud][:aws][:secret_key])
31: fog_options.merge!(:aws_access_key_id => access_key,
:aws_secret_access_key => secret_key)
32: else # Lack of credentials implies a IAM role will provide
keys
33: fog_options.merge!(:use_iam_profile => true)
34: end
35: aws = Fog::Compute.new(fog_options)
36:
37: server = aws.servers.get instance_id
38:
39: # Create EBS volume if the device is free
40: ebs_device = params[:ebs][:device] || device
41: unless server.volumes.map(&:device).include?(ebs_device)
42: options = { :device => ebs_device,
43: :size => params[:ebs][:size],
44: :delete_on_termination =>
params[:ebs][:delete_on_termination],
45: :availability_zone =>
server.availability_zone,
46: :server => server }
47:
48: options[:type] = params[:ebs][:type] if params[:ebs][:type]
49: options[:iops] = params[:ebs][:iops] if params[:ebs][:iops]
and params[:ebs][:type] == "io1"
50:
51: if params[:ebs][:snapshot_id]
52: if snapshot = aws.snapshots.get(params[:ebs][:snapshot_id])
53: Chef::Log.info "Creating EBS from snapshot:
#{snapshot.id} (" +
54: "Tags: #{snapshot.tags.inspect}, "
+
55: "Description: #{snapshot.description})"
56: options[:snapshot_id] = snapshot.id
57: else
58: __message = "[!] Cannot find snapshot:
#{params[:ebs][:snapshot_id]}"
59: Chef::Log.fatal __message
60: raise __message
61: end
62: end

Compiled Resource:

Declared in

/var/chef-solo/cookbooks/elasticsearch/libraries/create_ebs.rb:16:in
`create_ebs'

ruby_block("Create EBS volume on /dev/sda2 (size: 25GB)") do
action "run"
retries 0
retry_delay 2
block_name "Create EBS volume on /dev/sda2 (size: 25GB)"
cookbook_name :elasticsearch
recipe_name "ebs"
block
#Proc:0x0000000164ec58@/var/chef-solo/cookbooks/elasticsearch/libraries/create_ebs.rb:18
end

[2014-03-20T18:29:20+00:00] ERROR: Running exception handlers
[2014-03-20T18:29:20+00:00] ERROR: Exception handlers complete
[2014-03-20T18:29:20+00:00] FATAL: Stacktrace dumped to
/var/chef-solo/chef-stacktrace.out
Chef Client failed. 1 resources updated
[2014-03-20T18:29:20+00:00] FATAL: Chef::Exceptions::ChildConvergeError:
Chef run process exited unsuccessfully (exit code 1)
Connection to ec2-23-20-247-88.compute-1.amazonaws.com closed.

real 0m7.060s
user 0m0.013s
sys 0m0.005s

Here is my node.json configuration:

{
"run_list": [ "recipe[monit]",
"recipe[elasticsearch]",
"recipe[elasticsearch::plugins]",
"recipe[elasticsearch::ebs]",
"recipe[elasticsearch::data]",
"recipe[elasticsearch::aws]",
"recipe[elasticsearch::nginx]",
"recipe[elasticsearch::proxy]",
"recipe[elasticsearch::monit]" ],

"elasticsearch" : {
"cluster_name" : "elasticsearch_test_with_chef",
"bootstrap" : { "mlockall" : false },

"discovery" : { "type": "ec2" },

"path": {
  "data": ["/usr/local/var/data/elasticsearch/disk1"]
},

"data" : {

  "devices" : {
    "/dev/sda2" : {
      "file_system"      : "ext3",
      "mount_options"    : "rw,user",
      "mount_path"       : "/usr/local/var/data/elasticsearch/disk1",
      "format_command"   : "mkfs.ext3",
      "fs_check_command" : "dumpe2fs",
      "ebs"            : {
        "size"                  : 25,
        "delete_on_termination" : true,
        "type"                  : "io1",
        "iops"                  : 100
      }
    }
  }
},

"cloud"   : {
  "aws"     : {
    "access_key" : "xxxxxxx",
    "secret_key" : "xxxxxxxxxxxxxxxxxxx",
    "region"     : "us-east-1"
  },
  "ec2"     : {
    "security_group": "elasticsearch-test"
  }
},

"plugins" : {
  "karmi/elasticsearch-paramedic" : {}
},

"nginx" : {
  "users" : [ { "username" : "estest", "password" : "@estest!" } ],
  "allow_cluster_api" : true
}

},

"monit" : {
"notify_email" : "xxxxxxx",
"mail_format" : { "from" : "xxxxxx", "subject" : "[monit] $SERVICE
$EVENT on $HOST", "message" : "$SERVICE $ACTION: $DESCRIPTION" }
}

Here is my AWS key configuration:

{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Stmt1394573401000",
"Effect": "Allow",
"Action": [
"ec2:DescribeAvailabilityZones",
"ec2:DescribeInstances",
"ec2:DescribeRegions",
"ec2:DescribeSecurityGroups",
"ec2:DescribeTags",
"ec2:AttachVolume",
"ec2:CreateVolume"
],
"Resource": [
"*"
]
}
]
}

Apologies for not putting all this into a gist. I am not yet initiated
with github.

Thanks,
Dan

--
You received this message because you are subscribed to the Google Groups "elasticsearch" group.
To unsubscribe from this group and stop receiving emails from it, send an email to elasticsearch+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/elasticsearch/edbd438b-4248-44af-a579-93dc8cae8f46%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


(Tomer Levy) #2

I'm getting the same error when following the tutorial. Any idea how to
solve it?

On Thursday, March 20, 2014 8:41:05 PM UTC+2, Dan Testa wrote:

Hi,

I am following the elasticsearch chef cookbook tutorial here:

http://www.elasticsearch.org/tutorials/deploying-elasticsearch-with-chef-solo/

I am getting stuck on this step:

time ssh -t $SSH_OPTIONS $HOST "sudo chef-solo --node-name elasticsearch-test-1 -j /tmp/node.json"

Here is the error I am getting. It seems that my AWS key is lacking the
necessary permissions to create an EBS volume. I added "ec2:CreateVolume"
and "ec2:AttachVolume" to no avail. I cannot find any info on what
permissions I need to run this. Can anyone point me to this info?

[testadadmin@uspetddebspoc01 elasticsearch-test]$ time ssh -t $SSH_OPTIONS
$HOST "sudo chef-solo --node-name elasticsearch-test-1 -j /tmp/node.json"
Warning: Permanently added 'ec2-23-20-247-88.compute-1.amazonaws.com,23.20.247.88'
(RSA) to the list of known hosts.
Starting Chef Client, version 11.6.0
Compiling Cookbooks...
Recipe: elasticsearch::ebs

  • package[gcc] action upgrade (up to date)

  • package[gcc-c++] action upgrade (up to date)

  • package[make] action upgrade (up to date)

  • package[libxslt-devel] action upgrade (up to date)

  • package[libxml2-devel] action upgrade (up to date)

  • chef_gem[fog] action install (up to date)
    [2014-03-20T18:29:18+00:00] WARN: Cloning resource attributes for
    directory[/usr/local/var/data/elasticsearch/disk1] from prior resource
    (CHEF-3694)
    [2014-03-20T18:29:18+00:00] WARN: Previous
    directory[/usr/local/var/data/elasticsearch/disk1]:
    /var/chef-solo/cookbooks/elasticsearch/recipes/data.rb:16:in block in from_file' [2014-03-20T18:29:18+00:00] WARN: Current directory[/usr/local/var/data/elasticsearch/disk1]: /var/chef-solo/cookbooks/elasticsearch/recipes/data.rb:39:inblock in
    from_file'
    Converging 50 resources
    Recipe: monit::default

  • package[monit] action install (up to date)

  • service[monit] action start (up to date)

  • template[/etc/monit/monitrc] action create (up to date)
    Recipe: elasticsearch::curl

  • package[curl] action install (up to date)
    Recipe: ark::default

  • package[unzip] action install (up to date)

  • package[libtool] action install (up to date)

  • package[autoconf] action install (up to date)
    Recipe: elasticsearch::default

  • group[elasticsearch] action create (up to date)

  • user[elasticsearch] action create (up to date)

  • bash[remove the elasticsearch user home] action run (skipped due to
    not_if)

  • directory[/usr/local/etc/elasticsearch] action create (up to date)

  • directory[/usr/local/var/log/elasticsearch] action create (up to date)

  • directory[/usr/local/var/run] action create (up to date)

  • directory[/usr/local/var/data/elasticsearch] action create (up to date)

  • template[/etc/init.d/elasticsearch] action create (up to date)

  • service[elasticsearch] action enable (up to date)

  • ark[elasticsearch] action install (skipped due to not_if)

  • bash[enable user limits] action run (skipped due to not_if)

  • log[increase limits for the elasticsearch user] action write

  • file[/etc/security/limits.d/10-elasticsearch.conf] action create (up
    to date)

  • template[elasticsearch-env.sh] action create (up to date)

  • template[elasticsearch.yml] action create (up to date)

  • template[logging.yml] action create (up to date)
    Recipe: elasticsearch::plugins

  • directory[/usr/local/elasticsearch-0.90.12/plugins/] action create (up
    to date)

  • ruby_block[Install plugin: karmi/elasticsearch-paramedic] action run
    (skipped due to not_if)
    Recipe: elasticsearch::ebs

  • package[gcc] action nothing (skipped due to action :nothing)

  • package[gcc-c++] action nothing (skipped due to action :nothing)

  • package[make] action nothing (skipped due to action :nothing)

  • package[libxslt-devel] action nothing (skipped due to action :nothing)

  • package[libxml2-devel] action nothing (skipped due to action :nothing)

  • chef_gem[fog] action install (up to date)

  • ruby_block[Create EBS volume on /dev/sda2 (size: 25GB)] action run

================================================================================
Error executing action run on resource 'ruby_block[Create EBS volume on
/dev/sda2 (size: 25GB)]'

================================================================================

Fog::Compute::AWS::Error

UnauthorizedOperation => You are not authorized to perform this operation.

Cookbook Trace:

/var/chef-solo/cookbooks/elasticsearch/libraries/create_ebs.rb:41:in
`block (2 levels) in create_ebs'

Resource Declaration:

In /var/chef-solo/cookbooks/elasticsearch/libraries/create_ebs.rb

16: ruby_block "Create EBS volume on #{device} (size:
#{params[:ebs][:size]}GB)" do
17:
18: block do
19: require 'fog'
20: require 'open-uri'
21:
22: region = params[:region] ||
node.elasticsearch[:cloud][:aws][:region]
23: instance_id = open('
http://169.254.169.254/latest/meta-data/instance-id'){|f| f.gets}
24: raise "[!] Cannot get instance id from AWS meta-data API"
unless instance_id
25:
26: Chef::Log.debug("Region: #{region}, instance ID:
#{instance_id}")
27:
28: fog_options = { :provider => 'AWS', :region => region }
29: if (access_key =
node.elasticsearch[:cloud][:aws][:access_key]) &&
30: (secret_key =
node.elasticsearch[:cloud][:aws][:secret_key])
31: fog_options.merge!(:aws_access_key_id => access_key,
:aws_secret_access_key => secret_key)
32: else # Lack of credentials implies a IAM role will provide
keys
33: fog_options.merge!(:use_iam_profile => true)
34: end
35: aws = Fog::Compute.new(fog_options)
36:
37: server = aws.servers.get instance_id
38:
39: # Create EBS volume if the device is free
40: ebs_device = params[:ebs][:device] || device
41: unless server.volumes.map(&:device).include?(ebs_device)
42: options = { :device => ebs_device,
43: :size => params[:ebs][:size],
44: :delete_on_termination =>
params[:ebs][:delete_on_termination],
45: :availability_zone =>
server.availability_zone,
46: :server => server }
47:
48: options[:type] = params[:ebs][:type] if params[:ebs][:type]
49: options[:iops] = params[:ebs][:iops] if params[:ebs][:iops]
and params[:ebs][:type] == "io1"
50:
51: if params[:ebs][:snapshot_id]
52: if snapshot =
aws.snapshots.get(params[:ebs][:snapshot_id])
53: Chef::Log.info "Creating EBS from snapshot: #{
snapshot.id} (" +
54: "Tags: #{snapshot.tags.inspect}, "
+
55: "Description: #{snapshot.description})"
56: options[:snapshot_id] = snapshot.id
57: else
58: __message = "[!] Cannot find snapshot:
#{params[:ebs][:snapshot_id]}"
59: Chef::Log.fatal __message
60: raise __message
61: end
62: end

Compiled Resource:

Declared in

/var/chef-solo/cookbooks/elasticsearch/libraries/create_ebs.rb:16:in
`create_ebs'

ruby_block("Create EBS volume on /dev/sda2 (size: 25GB)") do
action "run"
retries 0
retry_delay 2
block_name "Create EBS volume on /dev/sda2 (size: 25GB)"
cookbook_name :elasticsearch
recipe_name "ebs"
block
#Proc:0x0000000164ec58@/var/chef-solo/cookbooks/elasticsearch/libraries/create_ebs.rb:18
end

[2014-03-20T18:29:20+00:00] ERROR: Running exception handlers
[2014-03-20T18:29:20+00:00] ERROR: Exception handlers complete
[2014-03-20T18:29:20+00:00] FATAL: Stacktrace dumped to
/var/chef-solo/chef-stacktrace.out
Chef Client failed. 1 resources updated
[2014-03-20T18:29:20+00:00] FATAL: Chef::Exceptions::ChildConvergeError:
Chef run process exited unsuccessfully (exit code 1)
Connection to ec2-23-20-247-88.compute-1.amazonaws.com closed.

real 0m7.060s
user 0m0.013s
sys 0m0.005s

Here is my node.json configuration:

{
"run_list": [ "recipe[monit]",
"recipe[elasticsearch]",
"recipe[elasticsearch::plugins]",
"recipe[elasticsearch::ebs]",
"recipe[elasticsearch::data]",
"recipe[elasticsearch::aws]",
"recipe[elasticsearch::nginx]",
"recipe[elasticsearch::proxy]",
"recipe[elasticsearch::monit]" ],

"elasticsearch" : {
"cluster_name" : "elasticsearch_test_with_chef",
"bootstrap" : { "mlockall" : false },

"discovery" : { "type": "ec2" },

"path": {
  "data": ["/usr/local/var/data/elasticsearch/disk1"]
},

"data" : {

  "devices" : {
    "/dev/sda2" : {
      "file_system"      : "ext3",
      "mount_options"    : "rw,user",
      "mount_path"       : "/usr/local/var/data/elasticsearch/disk1",
      "format_command"   : "mkfs.ext3",
      "fs_check_command" : "dumpe2fs",
      "ebs"            : {
        "size"                  : 25,
        "delete_on_termination" : true,
        "type"                  : "io1",
        "iops"                  : 100
      }
    }
  }
},

"cloud"   : {
  "aws"     : {
    "access_key" : "xxxxxxx",
    "secret_key" : "xxxxxxxxxxxxxxxxxxx",
    "region"     : "us-east-1"
  },
  "ec2"     : {
    "security_group": "elasticsearch-test"
  }
},

"plugins" : {
  "karmi/elasticsearch-paramedic" : {}
},

"nginx" : {
  "users" : [ { "username" : "estest", "password" : "@estest!" } ],
  "allow_cluster_api" : true
}

},

"monit" : {
"notify_email" : "xxxxxxx",
"mail_format" : { "from" : "xxxxxx", "subject" : "[monit] $SERVICE
$EVENT on $HOST", "message" : "$SERVICE $ACTION: $DESCRIPTION" }
}

Here is my AWS key configuration:

{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Stmt1394573401000",
"Effect": "Allow",
"Action": [
"ec2:DescribeAvailabilityZones",
"ec2:DescribeInstances",
"ec2:DescribeRegions",
"ec2:DescribeSecurityGroups",
"ec2:DescribeTags",
"ec2:AttachVolume",
"ec2:CreateVolume"
],
"Resource": [
"*"
]
}
]
}

Apologies for not putting all this into a gist. I am not yet initiated
with github.

Thanks,
Dan

--
You received this message because you are subscribed to the Google Groups "elasticsearch" group.
To unsubscribe from this group and stop receiving emails from it, send an email to elasticsearch+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/elasticsearch/299f58bb-4dd7-47a8-9c65-fee942d8bc4a%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


(Karel Minarik) #3

Can you try using an AWS key with full permissions to your account? I don't
know if somebody has a concrete list of permissions to use here, it
definitely needs also permissions for listing volumes, etc. It also applies
to using IAM roles -- I've never sucessfully discovered which concrete
permissions should be set.

Karel

On Sunday, June 1, 2014 8:25:57 PM UTC+2, Tomer Levy wrote:

I'm getting the same error when following the tutorial. Any idea how to
solve it?

On Thursday, March 20, 2014 8:41:05 PM UTC+2, Dan Testa wrote:

Hi,

I am following the elasticsearch chef cookbook tutorial here:

http://www.elasticsearch.org/tutorials/deploying-elasticsearch-with-chef-solo/

I am getting stuck on this step:

time ssh -t $SSH_OPTIONS $HOST "sudo chef-solo --node-name elasticsearch-test-1 -j /tmp/node.json"

Here is the error I am getting. It seems that my AWS key is lacking the
necessary permissions to create an EBS volume. I added "ec2:CreateVolume"
and "ec2:AttachVolume" to no avail. I cannot find any info on what
permissions I need to run this. Can anyone point me to this info?

--
You received this message because you are subscribed to the Google Groups "elasticsearch" group.
To unsubscribe from this group and stop receiving emails from it, send an email to elasticsearch+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/elasticsearch/5f7b460d-051d-4ea8-8d02-d62d55c8bd0e%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


(billmasters) #4

I saw this thread after several hours of searching the internet for a solution. I finally found what worked for me.
I ran the command sudo yum groupinstall "Development Tools" before running the command time ssh -t $SSH_OPTIONS $HOST "sudo chef-solo --node-name elasticsearch-test-1 -j /tmp/node.json". I also had to use an IAM user with adequate EC2 permissions.
Hope this helps someone.


(system) #5