stackoom
  简体   繁体   中英

Alarm Action “Terminate EC2 Instance” failed

 原文  2013-05-14 10:06:29       python/ amazon-web-services/ boto/ amazon-cloudwatch

Question

when I start a certain type of instance the userdata-script creates a metric + alarm via Boto. The metric delivers its data to CloudWatch correctly. The alarm should terminate the instance as an action if some condition based on the metric matches. In CloudWatch the alarm seems to be created correctly and it switches the alarm-states as desired.

BUT: When it comes to execute the action it fails with the following "history" entry: Alarm updated from

  • OK to ALARM. Reason: Threshold Crossed: 5 datapoints were greater than the threshold (200.0). The most recent datapoints: 999.0, 999.0.
  • arn:aws:automate:eu-west-1:ec2:terminate is in progress.
  • Terminate EC2 Instance 'i-xxx' action failed. AWS was not able to validate the provided access credentials.

警报历史记录的屏幕截图

I've already granted the policy "AdministratorAccess" to the "userdata"-Role which is attached to the instance.

Any hints?

Regards Tom

2 answers

solution1
 2  2015-02-13 18:38:45

I believe this is the issue. From the developer guide :

If you are using an IAM role (eg, an Amazon EC2 instance profile), you cannot stop or terminate the instance using alarm actions. However, you can still see the alarm state and perform any other actions such as Amazon SNS notifications or Auto Scaling policies.

I recently posted in the AWS Forum about this issue myself: https://forums.aws.amazon.com/message.jspa?messageID=601951

solution2
 0  2019-01-17 10:13:04

I just occured this question and seems I have resolved it.
The CloudWatch Alarm's service-linked IAM role is AWSServiceRoleForCloudWatchEvents. I find its Trusted entities is events.amazonaws.com. And its policy document in the Trust relationships tag, 

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Service": "events.amazonaws.com"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}

And my ec2 instance's role policy document in the Trust relationships tag 

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Service": "ec2.amazonaws.com"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}

And then add the Trusted entities, events.amazonaws.com content to the ec2 instance's role policy document, as follow: 

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Service": "ec2.amazonaws.com"
      },
      "Action": "sts:AssumeRole"
    },
    {
      "Effect": "Allow",
      "Principal": {
        "Service": "events.amazonaws.com"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}

It add an trusted entity of events.amazonaws.com to the role.
Then, the CloudWatch Alarm to stop instance function is OK!

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Boto3: create, execute shell command, terminate on ec2 instance SSM send command to EC2 instance Failed failed to install tensorflow on a EC2 instance Ubuntu 20.04 AWS EC2: “Invalid command: terminate” Running Fabric from an ec2 instance, to another ec2 instance Install XGBoost on EC2 Instance changing the key of an ec2 instance pyvirtualdisplay on Amazon EC2 instance Programmatically configure EC2 instance tag ec2 instance with stackname
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM