unable to run aws eks cli commands

0

While running eks cli commnds facing the below issues

/usr/local/bin/aws eks list-clusters --region us-east-1

SSL validation failed for https://eks.us-east-1.amazonaws.com/clusters hostname 'eks.us-east-1.amazonaws.com' doesn't match either of '.us-east-1.es.amazonaws.com', '.cell-01.us-east-1.es.amazonaws.com'

but not seen when executing other cli commands. like (aws ec2)..

  • Hi - i suspect there is some sort of proxy involved here (or at least something intercepting the traffic and doing something to it). I don't really understand why this would just be for the EKS service though.

    Can you try this command?

    aws eks list-clusters --region us-east-1 --no-verify-ssl

    That should allow it to work i think. You'll get a warning though that this is insecure - ideally you need to find out whats intercepting the traffic and work out why it's somehow affecting calls to the EKS endpoints.

  • Hi, thanks for the reply but i see below,

    /usr/local/bin/aws eks list-clusters --region us-east-1 --no-verify-ssl urllib3/connectionpool.py:1045: InsecureRequestWarning: Unverified HTTPS request is being made to host 'eks.us-east-1.amazonaws.com'. Adding certificate verification is strongly advised. See: https://urllib3.readthedocs.io/en/1.26.x/advanced-usage.html#ssl-warnings

    An error occurred (403) when calling the ListClusters operation: Credential should be scoped to correct service: 'es'.

  • Hi, Been trying to recreate the error and I now suspect that you maybe have an old version of the aws cli that has a bug specifically when trying to access eks endpoints. It looks like the cert validation it is trying to do is just wrong. Latest version looks to be 2.9.22 - can you confirm what version you are on and try to recreate the issue after you do a cli upgrade?

  • aws --version aws-cli/2.9.22 Python/3.9.11 Linux/3.10.0-1160.15.2.el7.x86_64 exe/x86_64.centos.7 prompt/off

    installed latest one recently

1 Answer
0

Hello,

I am Manpreet from AWS. Thanks for raising this concern.

I understand that you are facing below error when running below command:

/usr/local/bin/aws eks list-clusters --region us-east-1 --no-verify-ssl

Latest Error:

urllib3/connectionpool.py:1045: InsecureRequestWarning: Unverified HTTPS request is being made to host 'eks.us-east-1.amazonaws.com'. Adding certificate verification is strongly advised. See: https://urllib3.readthedocs.io/en/1.26.x/advanced-usage.html#ssl-warnings

An error occurred (403) when calling the ListClusters operation: Credential should be scoped to correct service: 'es'.

It seems like there might be a different mapping for eks.us-east-1.amazonaws.com in your hosts file, due to which it is forwarding the request to .us-east-1.es.amazonaws.com

To verify the same, I added the below entry in my /etc/hosts file and I got the certificate from google and I also got the same error as of your's ssl validation error.

8.8.8.8 eks.us-east-1.amazonaws.com

So it looks like you are have mapping of Opensearch public IP for eks.us-east-1.amazonaws.com and hence you are getting certificate from that endpoint that is mentioned in your /etc/hosts file and hence getting the SSL validation error.

Can you validate your /etc/hosts file and your DNS records for eks.us-east-1.amazonaws.com , is it pointing to Opensearch endpoint? If so this might be causing the issue.

Looking forward to hear from you. Have a great day ahead.

AWS
SUPPORT ENGINEER
answered 2 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions