Cloudera Community

Support Questions

Find answers, ask questions, and share your expertise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search

Cluster creation failed on Cloudbreak hosted on AWS

Labels:
avatar
author-rank pushpak_nandi
New Member

Created ‎01-18-2019 06:47 PM

Hi,

I followed the exact steps to launch Cloudbreak (v2.7.0) on AWS :

https://hortonworks.github.io/cloudbreak-documentation/latest/aws-launch/index.html

As a pre-requisite, below two roles were created (based on AssumeRole and cb-policy json files as mentioned):

CloudbreakRole: Allows Cloudbreak to assume other IAM roles - specifically the CredentialRole.
CredentialRole: Allows Cloudbreak to create AWS resources required for clusters.

(Referring to https://hortonworks.github.io/cloudbreak-documentation/latest/aws-pre/index.html)

I could successfully launch Cloudbreak and create a Cloudbreak credential.

I used "Role based" authentication to create cluster. Used platform as HDP 2.6 and blueprint: "EDW-ETL: Apache Hive, Apache Spark 2" with 2 nodes.
However, cluster creation is failing with the below errors:


java.util.concurrent.ExecutionException: com.sequenceiq.cloudbreak.cloud.exception.CloudConnectorException: AWS CloudFormation stack reached an error state: CREATE_FAILED reason: API: autoscaling:CreateAutoScalingGroup The default Service-Linked Role for Auto Scaling could not be created. com.amazonaws.services.identitymanagement.model.AmazonIdentityManagementException: User: arn:aws:sts::<account id>:assumed-role/CredentialRole/hadoop-provisioning is not authorized to perform: iam:CreateServiceLinkedRole on resource: arn:aws:iam::<account id>:role/aws-service-role/autoscaling.amazonaws.com/AWSServiceRoleForAutoScaling (Service: AmazonIdentityManagement; Status Code: 403; Error Code: AccessDenied; Request ID: cc25dd31-1a50-11e9-bef1-a990dfdb8f39)


Can you please help?

5,167 Views
0 Kudos
5 REPLIES 5

avatar
author-rank darvasip author-rank
Guru

Created ‎01-24-2019 09:11 AM

@Pushpak Nandi

According to the AWS documentation, this might be your issue:

"Amazon EC2 Auto Scaling creates the AWSServiceRoleForAutoScaling service-linked role for you the first time that you create an Auto Scaling group but do not specify a different service-linked role.

Make sure that you have enabled the IAM permissions that allow an IAM entity (such as a user, group, or role) to create the service-linked role. Otherwise, the automatic creation fails. For more information, see Service-Linked Role Permissions in the IAM User Guide or the information about required user permissions in this guide."

Hope this helps!

4,932 Views
0 Kudos

avatar
author-rank pushpak_nandi
New Member

Created ‎01-31-2019 08:39 PM

@pdarvasi: Ok, this is what my cb-policy.json looks like:

{
"Effect": "Allow",
"Action": [
"iam:ListRolePolicies",
"iam:GetRolePolicy",
"iam:ListAttachedRolePolicies",
"iam:ListInstanceProfiles",
"iam:PutRolePolicy",
"iam:PassRole",
"iam:GetRole"
],
"Resource": [
"*"
]
},

{
"Effect": "Allow",
"Action": [
"iam:ListRolePolicies",
"iam:GetRolePolicy",
"iam:ListAttachedRolePolicies",
"iam:ListInstanceProfiles",
"iam:PutRolePolicy",
"iam:PassRole",
"iam:GetRole"
],
"Resource": [
"*"
]
},
{
"Effect": "Allow",
"Action": [
"autoscaling:CreateAutoScalingGroup",
"autoscaling:CreateLaunchConfiguration",
"autoscaling:DeleteAutoScalingGroup",
"autoscaling:DeleteLaunchConfiguration",
"autoscaling:DescribeAutoScalingGroups",
"autoscaling:DescribeLaunchConfigurations",
"autoscaling:DescribeScalingActivities",
"autoscaling:DetachInstances",
"autoscaling:ResumeProcesses",
"autoscaling:SuspendProcesses",
"autoscaling:UpdateAutoScalingGroup"
],
"Resource": [
"*"
]
},
{
"Effect": "Allow",
"Action": [
"kms:ListKeys",
"kms:ListKeyPolicies",
"kms:ListAliases"
],
"Resource": "*"
}

========================================================

Are you saying, I also need to add the below?

{ "Effect": "Allow",
"Action": [
"ec2:*"
],
"Resource": "*"
}

4,932 Views
0 Kudos

avatar
author-rank darvasip author-rank
Guru

Created ‎02-01-2019 03:26 PM

@Pushpak Nandi

No, according to the documentation, you should create an autoscaling group with an admin user with enough rights and ensure that "AWSServiceRoleForAutoScaling" role has been created automatically.

After this has succeeded your cluster create should proceed further.

Hope this helps!

4,932 Views
0 Kudos

avatar
author-rank jayatheerthan
New Member

Created ‎02-15-2019 01:13 PM

@pdarvasi, @Pushpak Nandi I too faced this problem, which I resolved by adding the permission iam:CreateServiceLinkedRole to the json described in this document.

4,932 Views

avatar
author-rank soungno
Explorer

Created ‎04-23-2020 09:17 PM

It is work!

 

i added policy config to the json file and succeeded in creating the cluster 

 

The contents added to the json file are as follows

 

Think you!

"Effect": "Allow",
"Action": [
"iam:ListRolePolicies",
"iam:GetRolePolicy",
"iam:ListAttachedRolePolicies",
"iam:ListInstanceProfiles",
"iam:PutRolePolicy",
"iam:PassRole",
"iam:GetRole",
"iam:CreateServiceLinkedRole"
],
"Resource": [
"*"
]

4,467 Views
0 Kudos
Announcements
Community Announcements
Welcome to the Cloudera Community!
Community Announcements
September 2025 Community Highlights
What's New @ Cloudera
Upgrade Your Spark Experience: Introducing CDS 3.5 for Cloud...
Community Announcements
August 2025 Community Highlights
Community Announcements
July 2025 Community Highlights
View More Announcements