On the week 1 assignment: Troubleshooting Database Connectivity on AWS, towards the last stage on Amason3 > Buckets > Edit bucket Policy, when I wanted to save the changes, I got an error message stating “You need Permission : user *** is not authorized to perform: access-analyzer: Validate Policy on resourse ***”

S3 Bucket Error Message690×304 27.8 KB

S3 Bucket Error Message1581×697 84.4 KB

I tried again this morning to start the assignment afresh, however, when I clicked on the AWS link on the Vocareum page I got this error message “The credentials in your login link were invalid. Please contact your administrator.”
Please assist

Hello @OF4,
In the first issue I could reproduce the issue in this post. Could you check you have the correct resource in the bucket policy it might be missing the correct parameter (should look like this: "arn:aws:s3:::<YOUR-DATA-BUCKET>/csv/*" to work.

In the second issue after you run a new notebook for a second time the AWS has the previous credentials. Just logout and click the link again to fix it:

AWS_logout855×292 31.4 KB

Hi @Georgios , I have also seen same warning message for me, but I was able to save my settings. I have done all steps correctly, but still I got less grade. The submission report says my S3 Bucket policy was not updated correctly. Here is my screenshot. Please let me know

image1911×988 109 KB

Hello @Georgios
Thank you for your response. I tried to start the assignment again, however, when I clicked on the AWS link on the Vocareum page, the dot on the link turned yellow but never turned green until the 2 hours for the assignment elapsed. Please if there an error with the link kindly fix it, if not maybe I will try again later.

Hello @SantoshE,
It looks like you are use a different resource location. Just use arn:aws:s3:::/csv/*" with /csv included at the end. Could you add that and try again, thanks

Hello @OF4,
Sorry for the inconvenience, there has been an issue with lab last week due to a database version deprecation. I would update if I have an eta when it will be resolved. Thank you

Hello @OF4 , @SantoshE,
The lab seems to be working now, could you try again and for the last part:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": "*",
            "Action": "s3:GetObject",
            "Resource": "arn:aws:s3:::<YOUR-DATA-BUCKET>/csv/*",
            "Condition": {
                "IpAddress": {
                    "aws:SourceIp": "<YOUR-CLOUD9-ENV-IP-ADDRESS>" 
                }
            }
        }
    ]
}

Use the correct Resource and add /csv/* at the end after your bucket name. (only change this: < YOUR-DATA-BUCKET > with the output you got previously). Hope it helps

Hi @Georgios Im receiving error when following the step along the creation of cloud9. Can I get help on this please?

Access denied You don't have permission to iam:GetAccountPasswordPolicy. To request access, copy the following text and send it to your AWS administrator. Learn more about troubleshooting access denied errors. User: arn:aws:sts::211125681734:assumed-role/voclabs/user2407001=<Username>Action: iam:GetAccountPasswordPolicyContext: no identity-based policy allows the action

Hello @Edmund_Koh,
I couldn’t reproduce the issue, which part of the lab are you facing the issue, when you try to create the first environment or when you delete it later to create the correct one:

C2W1A1_cloud9_environments1602×357 85.9 KB

C2W1A1_cloud9529×214 29.6 KB

C2W1A1_cloud9a1237×798 108 KB

C2W1A1_cloud9b1302×724 116 KB

Hi @Georgios managed to resolved the issue, thank you

I am having issues to connect to the database even if they are in the same VPC. After inputting the password, it fails.

Hello @Yagmur_Gulec,
I guess you are in step 1.11 after using the correct VPC from the second instance. Afterwards in step 1.13 you need to add the correct inbound rules in the RDS database (not the rules in the EC2 bastion_host instance).
To do that you need to find the the security_group_id of the bastion_host instance. You should be able to connect to the database after adding the correct password, or see the error in step 1.14.

For the last step you need to add the S3_bucket permissions, hope it helps:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": "*",
            "Action": "s3:GetObject",
            "Resource": "arn:aws:s3:::<YOUR-DATA-BUCKET>/csv/*",
            "Condition": {
                "IpAddress": {
                    "aws:SourceIp": "<YOUR-CLOUD9-ENV-IP-ADDRESS>" 
                }
            }
        }
    ]
}

I meant after recreating the environment with the same VPC as the database. I am trying this step.
Optional : After the creation of the new Cloud9 environment, you can check now that it is in the same VPC of your database (see steps 2.8-2.9). After entering the password, I could not connect to the database. Shouldn’t it connect after doing the 2.10.?

Hello @Yagmur_Gulec,
You should edit the inbound rules of the RDS instance in step 2.13 and use use the security group of the EC2 instance to succesfully connect. That part fails since you are not are allowing that specific instance (EC2 with that SecurityGroup ID)to access the RDS database. If you add that rule you should be able to connect and pass the grade. Hope it helps

I am having trouble with connectivity. I cannot reproduce the fatal error. Everything seems to be set correctly, but the connection is timing out.

Connection_timeout2366×676 187 KB

sgr1920×963 111 KB

Hello @shamidou28,
It looks like you are trying to edit the bastion_host security_group (BastionSecurityGroup) in EC2. Could you follow the instructions in step 1.12 to add the inbound rules for DefaultVPCSecurityGroup in RDS instead. For the last part add the S3_bucket permissions use bastion_host Public IPv4 address and the S3 bucket_name. Hope it helps

I’m having the following error in the Week 1 Troubleshooting Database Connectivity assignment, at Section 3.13, after updating the S3 permissions:
voclabs:~/environment $ python3 scripts/download_from_s3.py
Error downloading file: module ‘awscrt.checksums’ has no attribute ‘crc64nvme’

The S3 permissions are as follows, they look correct:
{
“Version”: “2012-10-17”,
“Statement”: [
{
“Effect”: “Allow”,
“Principal”: “",
“Action”: “s3:GetObject”,
“Resource”: "arn:aws:s3:::de-c2w1a1-902413101434-us-east-1-data-test/csv/”,
“Condition”: {
“IpAddress”: {
“aws:SourceIp”: “34.201.139.114”
}
}
}
]
}

The variables in the download_from_s3.py script are:

Example usage

bucket_name = “de-c2w1a1-902413101434-us-east-1-data-test”
s3_key = “csv/ratings_ml_training_dataset.csv”
local_path = “data/ratings_ml_training_dataset.csv”

any ideas?
Is it a Python class issue, I’ve seen some similar on google, but not the same, and none mentioning ‘crc64nvme’?

Hello @oisinom,
I could try to reproduce it, but do you have a typo in the bucket policy in Principal, hope it helps:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": "*", <---Missing Star
            "Action": "s3:GetObject",
            "Resource": "arn:aws:s3:::<YOUR-DATA-BUCKET>/csv/*",
            "Condition": {
                "IpAddress": {
                    "aws:SourceIp": "<YOUR-CLOUD9-ENV-IP-ADDRESS>" 
                }
            }
        }
    ]
}

No, the * was in there, I might have done something when I copied it, but still the same error.

{
“Version”: “2012-10-17”,
“Statement”: [
{
“Effect”: “Allow”,
“Principal”: “",
“Action”: “s3:GetObject”,
“Resource”: "arn:aws:s3:::de-c2w1a1-902413101434-us-east-1-data-test/csv/”,
“Condition”: {
“IpAddress”: {
“aws:SourceIp”: “34.201.139.114”
}
}
}
]
}

It seems the * isn’t showing up between “xxx”