Skip to content

IAM issue in GovCloud #769

New issue
New issue
Open
Open
IAM issue in GovCloud#769
Labels
bugSomething isn't workinggood first issueGood for newcomershelp wantedExtra attention is needed
@jeffsegal

Description

@jeffsegal
jeffsegal
opened on Jan 8, 2024

After attempting to deploy a zero config Stack to GovCloud, I found that the runners were failing to be created due to an IAM issue. Here's a sanitized snippet from /var/log/gitlab-runner.log:

Jan 4 20:10:30 ip-REDACTED gitlab-runner: #33[31;1mERROR: Error creating machine: Error in driver during machine creation: Error request spot instance: UnauthorizedOperation: You are not authorized to perform this operation. User: arn:aws-us-gov:sts::REDACTED:assumed-role/GitLabRunnerStack-GitlabRunnerManagerRole2F9BC927-REDACTED/i-REDACTED is not authorized to perform: ec2:RequestSpotInstances on resource: arn:aws-us-gov:ec2:us-gov-west-1:REDACTED:subnet/subnet-REDACTED because no identity-based policy allows the ec2:RequestSpotInstances action.

Deeper inspection found the culprit at

cdk-autoscaling-gitlab-runner/src/runner/manager.ts

Line 162 in cd20c13

"ec2:Vpc": `arn:aws:ec2:${Stack.of(this).region}:${Stack.of(this).account}:vpc/${
Whereas the arn:aws prefix is hard-coded, the actual GovCloud ARN prefix is going to be arn:aws-us-gov.

Metadata

Metadata

Assignees

No one assigned

    Labels

    bugSomething isn't workinggood first issueGood for newcomershelp wantedExtra attention is needed

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions