- Newest
- Most votes
- Most comments
Hello,
I am Manpreet from AWS. Thanks for raising this concern.
I understand that you are facing below error when running below command:
/usr/local/bin/aws eks list-clusters --region us-east-1 --no-verify-ssl
Latest Error:
urllib3/connectionpool.py:1045: InsecureRequestWarning: Unverified HTTPS request is being made to host 'eks.us-east-1.amazonaws.com'. Adding certificate verification is strongly advised. See: https://urllib3.readthedocs.io/en/1.26.x/advanced-usage.html#ssl-warnings
An error occurred (403) when calling the ListClusters operation: Credential should be scoped to correct service: 'es'.
It seems like there might be a different mapping for eks.us-east-1.amazonaws.com in your hosts file, due to which it is forwarding the request to .us-east-1.es.amazonaws.com
To verify the same, I added the below entry in my /etc/hosts file and I got the certificate from google and I also got the same error as of your's ssl validation error.
8.8.8.8 eks.us-east-1.amazonaws.com
So it looks like you are have mapping of Opensearch public IP for eks.us-east-1.amazonaws.com and hence you are getting certificate from that endpoint that is mentioned in your /etc/hosts file and hence getting the SSL validation error.
Can you validate your /etc/hosts file and your DNS records for eks.us-east-1.amazonaws.com , is it pointing to Opensearch endpoint? If so this might be causing the issue.
Looking forward to hear from you. Have a great day ahead.
Relevant content
- asked a month ago
- asked a month ago
- Accepted Answerasked 2 years ago
- AWS OFFICIALUpdated 3 years ago
- AWS OFFICIALUpdated 2 months ago
- AWS OFFICIALUpdated 7 months ago
- AWS OFFICIALUpdated 5 months ago
Hi - i suspect there is some sort of proxy involved here (or at least something intercepting the traffic and doing something to it). I don't really understand why this would just be for the EKS service though.
Can you try this command?
aws eks list-clusters --region us-east-1 --no-verify-ssl
That should allow it to work i think. You'll get a warning though that this is insecure - ideally you need to find out whats intercepting the traffic and work out why it's somehow affecting calls to the EKS endpoints.
Hi, thanks for the reply but i see below,
/usr/local/bin/aws eks list-clusters --region us-east-1 --no-verify-ssl urllib3/connectionpool.py:1045: InsecureRequestWarning: Unverified HTTPS request is being made to host 'eks.us-east-1.amazonaws.com'. Adding certificate verification is strongly advised. See: https://urllib3.readthedocs.io/en/1.26.x/advanced-usage.html#ssl-warnings
An error occurred (403) when calling the ListClusters operation: Credential should be scoped to correct service: 'es'.
Hi, Been trying to recreate the error and I now suspect that you maybe have an old version of the aws cli that has a bug specifically when trying to access eks endpoints. It looks like the cert validation it is trying to do is just wrong. Latest version looks to be 2.9.22 - can you confirm what version you are on and try to recreate the issue after you do a cli upgrade?
aws --version aws-cli/2.9.22 Python/3.9.11 Linux/3.10.0-1160.15.2.el7.x86_64 exe/x86_64.centos.7 prompt/off
installed latest one recently