AWS source account configuration may fail with "Access Denied. IAM role with sufficient privileges must be attached to the CloudPoint EC2 host instance"

AWS source account configuration may fail with "Access Denied. IAM role with sufficient privileges must be attached to the CloudPoint EC2 host instance"

Article: 100045704
Last Published: 2019-07-31
Ratings: 0 0
Product(s): CloudPoint

Problem

AWS source account configuration may fail with "Access Denied. IAM role with sufficient privileges must be attached to the CloudPoint EC2 host instance" when CloudPoint is in a proxy server environment.

Error Message

From the flexsnap-agent log:

INFO - AWSCreds.get_attached_role: GET on /meta-data/iam/info returned code 503 suggesting role not attached

ERROR - FlexAgent.validate_config: validate config failed Access Denied. IAM role with sufficient privileges must be attached to the CloudPoint EC2 host instance

Cause

Due to proxy server, the flexsnap-agent container cannot connect to the instance metadata service to obtain the IAM info from the instance.

Solution

Add the IP address for the metadata service to VX_NO_PROXY configuration.

# sudo docker run -it --rm -v /cloudpoint:/cloudpoint -e VX_HTTP_PROXY="http://proxy.mycompany.com:8080/" -e VX_HTTPS_PROXY="https://proxy.mycompany.com:8080/" -e VX_NO_PROXY="169.254.169.254,localhost,*.ec2.internal" -v /var/run/docker.sock:/var/run/docker.sock veritas/flexsnap-cloudpoint:<version> install

Verify the 169.254.169.254 is allowed to bypass the proxy server also.

 

Was this content helpful?