qKe Request failed with status code 403 #499
Comments
|
Open up your browser dev tools and paste any errors you see there into this issue. |
|
{ |
|
Yeah, because the Fargate task speaks to AppSync, it needs to access the internet. If you just update the CFN stack and change that parameter back to |
|
Yea, easy enough. Thanks. Error's gone but now no resources discovered... different problem I guess... |
|
The discovery task runs every 15 minutes, so won't run for another 5 minutes (assuming you've deployed the CloudFormation to the various accounts you want to import). |
|
Running it as CrossAccountDiscovery set to AWS_ORGANIZATIONS. |
|
No, the r value will work. Check the ECS logs (don't worry about lambda) for any errors, instructions at think link: https://aws-solutions.github.io/workload-discovery-on-aws/workload-discovery-on-aws/2.0/debugging-the-discovery-component.html. |
|
Thanks. It was the r value and it did discover some resources however going through the debugging I'm getting quite a lot (22 per discovery) of: I'm also getting 1: |
|
So some additional information:
So it seems like it's connecting fine but it's not discovering anything there. And maybe there's a security option in the account 682880543195 limiting API calls? But I'm not sure where I would look for that. |
|
In AWS_ORGANIZATIONS mode, Workload Discovery does not manage enablement of Config. We leave that down to customers as managing deployment of Config is different for every organization based on what they want to monitor and potential costs incurred by enabling it across a large number of accounts and regions. If one of your accounts doesn't have resources in it then it means Config is either not enabled in any regions in that account or as you mentioned, there is some permission error or SCP that is preventing it from doing so. |
The API errors are because the the discovery process is being rate limited when it makes SDK calls to the API gateway SDK. API Gateway limits are account wide (rather than regional) so it there a large number of API gateway resources in an account, these sorts of throttling errors are unavoidable. The IAM error you are seeing is because of the way organization wide StackSets work: they do not allow you to deploy a stack instance to the management account. In AWS_ORGANIZATIONS mode, the deployment process uses StakcSets to deploy the global resources stack on your behalf in all the accounts in your organization. There should be an error dialog box on the Accounts page the Workload Discovery UI that has a link to the template that you can manually deploy in the management account using CloudFormation. |
Is this something that AWS support can temporarily increase or lift? It looks like it's stopping at the same point each time so it's not discovering new resources.
I installed the template and so that's sorted now. |
Do you mean the discovery process is crashing? Those throttling errors should only affect API Gateway, they should be skipped over and the process should move on to the next set of resources. Can you attach the ECS logs here so I can have a look? |
|
I don't know if the process is crashing but I do know not all of my resources are being discovered. In the account mentioned before each region shows "Not Discovered" but I know that account has 514 resources across 18 regions according to resource explorer. Or are there default resources in each region and the discovery process is filtering them out? I've attached the ECS logs for the most recent discovery job. |
|
The discovery process in not crashing but It looks like there are only 1734 resources in the entire aggregator, that seems very low for an organization wide aggregator. When you say 'resource explorer', do you mean the service or do you mean the resource section in the AWS Config console page? Can you go to the aggregator that WD deployed (it will be called SELECT * WHERE accountId = '<account-id-with-514 resources'Make sure the query scope is the aggregator as per the screenshot: What results do you see when you run the query? |
|
Yes, the service AWS resource explorer. This is viewing the account 682880543195 Looks like it has no output. |
|
The results of the SQL query means it looks like the issue is that AWS Config is not enabled in any regions in that account. Try enabling it in If Config doesn't know about a resource there's no way for WD to discover it as we get 90% of our resources from their APIs (under the hood we also use the SQL syntax you are using there for your ad hoc query). |
|
Thanks. That's showing up now. Does AWS Config need to be enabled in every region in use or only one per account? For 682880543195 us-east-1 and ap-southeast-2 are in use. |
|
Yeah, it needs to be enabled in each region you're interesting in. |
|
Great. That's solved most of my problems! |
|
That's strange. Are there any errors in the discovery process logs? |
|
I think I've sorted it. I did find out that Config was not enabled on the other regions but that the admin account for some reason can't add it to those regions. I've also realized there's only the default stuff in those regions without config so at the moment not necessary. Is there a way to filter out the default resources? |
If your issue relates to the Discovery Process, please first follow the steps described in the implementation guide Debugging the Discovery Component
Describe the bug
when clicking on resources I get the error qKe Request failed with status code 403
To Reproduce
Steps to reproduce the behavior:
Expected behavior
resources listed
Screenshots
Browser (please complete the following information):
reproducible on latest versions of edge and chrome
Additional context
Add any other context about the problem here.
The text was updated successfully, but these errors were encountered: