External Cloud FAQs
You'll find answers to the most frequently-asked questions about configuring External Clouds at this link:
FAQs: Using CloudShare with Public Clouds
Feel free to contact CloudShare support for other issues or questions you have when using External Clouds.
Why is my VM preparation stuck at 66% ?
This might happen for two reasons:
Reason #1
When you use a custom AMI, the VM password cannot be retrieved automatically. You did not provide the Username and Password for a Windows AMI, or the SSH Key for a Linux AMI.
For Linux AMI:
Specify the SSH Key and Username in your Terraform script, for example:
resource "aws_instance" "instance_example" {
ami = "ami-029d07fed0c85a123"
instance_type = "t2.micro"
key_name = "cs-key"
tags = {
Name = "My-VM"
ci-key-username = "ec2-user"
}
}
For Windows AMI:
Set the username and password of the AMI.
- Click the External Resources link via (a) the Snapshot page (to fix it for all environments created from this Blueprint), or (b) the Environment page (to fix it for the current environment):
- On the External Resource Custom Data pane, click the Edit icon:
-
Add a new Custom Data entry. The name should be the exact name of the instance as specified in your Terraform script. Be sure to add the correct User and Password values.
Activating the fields Hide VM and Do not Add External IP are optional, according to your needs.
For more information about adding Custom Data click here.
For more information about the External Resources Summary page click here.
Reason #2
Ensure that the Name you configured in the Custom Data table:
Is the same as the VM Name that is displayed in the CloudShare Viewer:
If the two are not identical, you will need to specify the Name tag in your Terraform script, for example:
tags = {
Name = "My-VM"
}
CloudShare will then use this Name in order to match the credentials of the correct VM.
Why can’t I see my resources in GCP ?
You need to choose the correct project in the GCP menu:
Select the project cloudsharelabs.com.
Why is my cloud provider user locked/inactive ?
When a CloudShare environment is suspended, the cloud provider user will be locked in order to save costs. To resolve this, simply resume your CloudShare environment.
Why can’t I create an EC2 instance from a marketplace item?
Please contact CloudShare support to provide us with the URL of the marketplace item.
NOTE: CloudShare will soon enable you to add Marketplace AMIs directly from the CloudShare Admin console.
Which Terraform providers does CloudShare support ?
Currently, we support three leading public cloud providers: AWS, Azurerm, and Google,
And these utility providers: random, null, tls, template, time and http.
Where can I find CloudShare Terraform script examples ?
To help you create Terraform scripts, CloudShare maintains script examples for various external clouds here: https://github.com/cloudshare/cloudshare-terraform-samples.
How can I help my students on their AWS accounts as an Instructor?
When a class that uses AWS resources is created, a new AWS IAM user is created automatically in the AWS account of each student.
The user name is wus-cloudshare-class-admin. The user password and account ID can be found in the Instructor Console for the class.
With this admin user, you can log in to any student’s account from the AWS Console.
Why do I get the following permission error when I try to create a new role using the ‘Administrator Access’ role?
Error: Error creating IAM Role <ROLE>: AccessDenied: User: arn:aws:iam::<ACCOUNT ID>:user/wus-cloudshare is not authorized to perform: iam:CreateRole on resource: arn:aws:iam::<ACCOUNT ID>:role/<ROLE> with an explicit deny
status code: 403, request id: 00f27ba3-cc68-4f60-b777-e08bf05c96ae
When you create a new AWS role, CloudShare requires that you set a specific boundary.
You will notice your IAM user already has a boundary called BoundaryForAdministratorAccess.
This boundary has some permission limitations, and also forces newly-created roles to have the same boundary as well, in order to prevent unauthorized privilege escalation by a student.
You will need to add this boundary in order to enable the desired new role creation behavior.
Perform the following steps:
- Add the following line to the top of your Terraform script to be able to get the account ID:
data "aws_caller_identity" "current" {} - Add this line to the new role that you are trying to create:
permissions_boundary = "arn:aws:iam::${data.aws_caller_identity.current.account_id}:policy/BoundaryForAdministratorAccess"
The required boundary will be added to the newly created role.
If you are creating a new role directly from the AWS Console, just select the BoundaryForAdministratorAccess boundary during the creation process:
Why am I getting this ‘Handler failed’ error ?
Handler failed - One or more errors occurred. (The image ID 'ami-0a7a25301e2ca1234' is no longer available)
The AMI that is referenced in the error is probably not configured correctly. Search the AMI ID in the AMI list page to view its details.
To fix this error, either:
- Locate the bad AMI in the AMI list page and remove it from CloudShare.
- Fix the underlying issue of the AMI:
- Verify the correct permissions were granted.
- Verify the AMI details in CloudShare are the same as in your AWS account (i.e., ID, Account ID, Region)
- Verify that the AMI exists in your AWS account.
How can I debug a user data script ?
Send the output of the commands to a text file on the VM. Then you can view the text file after the instance has been created.
For Linux VMs:
Add this at the end of your commands: <command> &> /tmp/output
For Windows VMs:
Add this at the end of your commands: <command> | Out-File -FilePath C:\filename.txt
Does Azure have quotas that limit my compute resources ?
Yes. If you wish to run multiple environments simultaneously on Azure, you should contact CloudShare Support to determine whether Azure quotas should be increased to meet your needs.
Also, please remember that quotas are defined per Azure Region.
Are there any alternatives to using user/custom data in Azure ?
You can optionally use the Azure extensions resource to run a custom script that executes commands when the VM is created. You simply need to upload your script to a public Github repository and then specify it under the Azure extension settings using a ‘fileUris’ assignment, as shown below:
resource "azurerm_virtual_machine_extension" "myterraformvm" {
name = "cloud-share-startup"
virtual_machine_id = azurerm_virtual_machine.main.id
publisher = "Microsoft.Azure.Extensions"
type = "CustomScript"
type_handler_version = "2.0"
settings = <<SETTINGS
{
"fileUris": [
"https://raw.githubusercontent.com/USER/REPO/main/scripts.sh"
],
"commandToExecute": "/bin/bash script.sh"
}
SETTINGS
tags = {
environment = "staging"
}
}
Why can’t I RDP to a Windows VM that belongs to a domain?
If you can connect with a local user, i.e., \Administrator but are not able to connect with a domain user, then please verify that NLA is not enabled in your Remote Desktop settings:
- Right-click the This PC icon and click Properties. The computer properties window is displayed.
- Click Remote Settings.
- Uncheck Allow connections only from computers running Remote Desktop with Network Level Authentication.
- Click OK.
Your RDP connection should now work.
Can I use AWS CloudFormation templates within CloudShare?
Yes. The aws_cloudformation_stack Terraform resource can be used within your CloudShare external creation script to reference a publicly accessible CloudFormation template JSON or YAML file using the template_url parameter. For example:
resource "aws_cloudformation_stack" "CFT-With-URL" {
name = "My-CFT"
template_url = "https://example-bucket.s3.amazonaws.com/My-CFT.yml"
}
Alternatively, the content of the CloudFormation template file can be added directly to the aws_cloudformation_stack resource block. An example of this is seen in the Terraform documentation for the aws_cloudformation_stack resource.
Further, a CloudFormation template file could exist within a private S3 bucket storage container. You can provide CloudShare access to the private S3 bucket using an AWS bucket policy. If you manually apply the following policy to your private S3 bucket containing the CloudFormation template file, you can then refer to the bucket location within the template_url parameter of the aws_cloudformation_stack Terraform resource block (as noted in the example above).
S3 Policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowGetObject",
"Effect": "Allow",
"Principal": "*",
"Action": "s3:*",
"Resource": "arn:aws:s3:::<BUCKET_NAME>/*",
"Condition": {
"StringEquals": {
"aws:PrincipalOrgID": "o-6519qq85v4"
}
}
}
]
}
Where <BUCKET_NAME> is the name of your S3 private bucket, and o-6519qq85v4 is the CloudShare organization ID.
Comments
0 comments
Article is closed for comments.