New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
AWS provisioning stopped work - Getting 403 Forbidden: error #469
Comments
LOGS:
|
Hello, I am having a similar problem with chef-provisioning AWS. To me, it seems as if it is no longer installing chef-client and bootstraping the node before attempting to converge. I am ondering if there may have been a change either in chef-provisioning or chef-provisioning-aws which may have cause the change. |
Hey @vinsleo and @evidetta-adbrain - will you try this with the latest pre-release of the ChefDK and see if you still have the issue? |
It mentions to try other version. As the latest one does not exists for ubuntu? COMMAND: OUTPUT:
|
OK meanwhile tried with the following version Still get the Forbidden error
|
I've been receiving very similar messages trying to provision to docker.
|
@mickfeech Thanks for sharing the link from @marc- written by @jtimberman
This has fixed my issue. However it has confused me. I checked the permission tabs on hosted chef server console before applying this changes. It had an entry with the name of my CLIENT with all permissions on it. So I admit I was bit skeptical that this changes would work. But surprisingly they worked. Now I just need to understand whats going on!
whats the magic ? |
Yeah. The same thing happened to me. It looks like there are some hidden permissions in the webui. One would think (like us) that any node should be able to have the permissions to provision a container or at least documented in an official capacity. On Wed, Nov 4, 2015 at 6:35 PM, Vinay notifications@github.com wrote:
|
I managed to solve this issue tonight after a bit of Googling. As it turns out, it is not a bug in chef-provisioning but rather the ACLs on Chef Server which are causing issues. In order to provision, the provisioner needs to have the permission to create, read, update and grant permissions to new clients. What this involves in Chef Server is creating a group for your provisioner clients and granting permissions on that group to create other clients. It was a bit counter-intuitive to do since in Chef server does not provide the UI to easily assign permissions to create clients. First, I created a provisioners group. Then I ran |
That would be awesome if we could document this on the main documentation, to avoid spending hours on this issue :D |
Hit the same issue today - the problem with ACLs for provisioning node to be able to create required object on Chef server.
However, they are not full and require granting permissions to databag (at least, for AWS): # chef server, never running provisioning before
for permission in read create update grant delete
do
knife acl add group provisioners containers data $permission
done
# for chef server, which has already did provisioning - also run:
for permission in read create update grant delete
do
knife acl bulk add group provisioners data 'aws_.*' $permission
done |
Attached is the debug log
Tried resetting the KEY and downloaded the started kit still doesnt work.
This was working before
however the working log had slightly different line numbers. so not sure if its the CHEFDK's latest version
issue
for e.g. following line if from the logs of the run that worked correctly
compared to the attached log
The text was updated successfully, but these errors were encountered: