workload-discovery-on-aws icon indicating copy to clipboard operation
workload-discovery-on-aws copied to clipboard

Published 20 hours ago verified publisher icon aws-solutions

WebUiUrl is not accessible after deployed the solution stack

Open awscoe opened this issue 1 year ago • 4 comments

Feature name Give your feature a name. -WebUiUrl is not accessible after deployed the solution stack

Is your feature request related to a problem? Please describe. A description of what the problem is. WebUiUrl is not accessible after deployed the solution stack https://d3mjzdvwbwcshm.cloudfront.net/

I need assistance to complete my post deployment steps to use the solution in our environment.

Error: <Error> <Code>AccessDenied</Code> <Message>User: arn:aws:sts::856369053181:assumed-role/OriginAccessControlRole/EdgeCredentialsProxy+EdgeHostAuthenticationClient-DEL54-P7 is not authorized to perform: kms:Decrypt on the resource associated with this ciphertext because the resource does not exist in this Region, no resource-based policies allow access, or a resource-based policy explicitly denies access</Message> <RequestId>AAFAS781YFYA8TXA</RequestId> <HostId>vv0H8OFH6HHEVaqFPV/rL3q+OEIkYZpA5uHSsUTKYqKTnEsAbWsOVl9C1GUnwsSnLyJzjMA3hQ4=</HostId> </Error>

Describe the feature you'd like to see implemented A description of what you would like to see.

Describe the value this feature will add to AWS Perspective Tell us how this feature might improve AWS Perspective.

Describe alternatives you've considered A description of any alternative solutions or features you've considered.

Additional context Add any context or screenshots about the feature request here.

awscoe avatar Sep 19 '24 08:09 awscoe

I have deployed the Solution stack in us-east-2 (Ohio) and cloudFront also deployed in same region. Is there any region restriction for CloudFront ? Can you please share your e-mail ID so that I can show you the error that I am facing for WebuiURL?

awscoe avatar Sep 19 '24 08:09 awscoe

I have never seen an error like this before but it looks like it could be an SCP associated with the account that Workload Discovery was deployed to. The arn:aws:sts::856369053181:assumed-role/OriginAccessControlRole/EdgeCredentialsProxy+EdgeHostAuthenticationClient-DEL54-P7 is not deployed by the solution. As you can see here there is no role assoicate with the AWS::CloudFront::OriginAccessControl resource provisioned by CloudFormation: https://github.com/aws-solutions/workload-discovery-on-aws/blob/3a7e39605e0937f3c14a34c8230f8ac80fbeadfd/source/cfn/templates/webui.template#L43.

svozza avatar Sep 19 '24 10:09 svozza

Hi Stefano, Thanks for update. Quick questions:

  1. Is there any region restriction for CloudFront if I have deployed the Workload Discovery Solution stack in us-east-2 (Ohio)?
  2. Can this solution be deployed in CloudFront US-East-2?

Please confirm me.

Regards, Dalkeshwar Prasad

awscoe avatar Sep 19 '24 12:09 awscoe

I'm not sure what you mean by deploying CloudFront in us-east-2? CloudFront is a global service so it doesn't have a region associated with it. The solution can be deployed in us-east-2; I have done so many times before. A list of the supported regions can be seen in the documentation: https://docs.aws.amazon.com/solutions/latest/workload-discovery-on-aws/supported-aws-regions.html.

svozza avatar Sep 19 '24 12:09 svozza

Closing due to inactivity.

svozza avatar Nov 22 '24 15:11 svozza