rancher: Not able to edit cluster for AWS CN

What kind of request is this (question/bug/enhancement/feature request): bug

Steps to reproduce (least amount of steps as possible):

  1. register an EKS cluster in AWS CN
  2. after registered, open edit cluster UI, as attached.
  3. click next

Result: You’ll find the error message, says “Credential should be scoped to a valid region, not ‘us-east-1’.” But our cluster and credential is cn-north-1. not able to go to next step.

Other details that may be helpful: Adding EKS cluster has the same issue.

Screen Shot 2020-10-19 at 2 31 54 PM Screen Shot 2020-10-19 at 2 31 33 PM

Environment information

  • Rancher version (rancher/rancher/rancher/server image tag or shown bottom left in the UI): 2.5.1
  • Installation option (single install/HA): HA

gz#13326

About this issue

  • Original URL
  • State: closed
  • Created 4 years ago
  • Comments: 16 (11 by maintainers)

Most upvoted comments

The proxy request failed because the domain(*.amazonaws.com.cn) is not in the whitelist. This is the mechanism of rancher meta-prxoy.

There are two ways as the workaround:

  1. Add *.amazonaws.com.cn to /v3/settings/whitelist-domain
  2. Add eks.%.amazonaws.com.cn and kms.%.amazonaws.com.cn to the field whitelistDomains of/v3/nodeDrivers/amazonec2

I think we should add these domains to the code so that the user has no need to manual input.

+3
niusmallnan on Apr 9, 2021

Thanks @niusmallnan, your comment explaining the problem was incredibly helpful!

+1
pennyscissors on Apr 13, 2021

@sowmyav27 Tested the following on Rancher v2.5-head version f54152f:

Register an existing Amazon EKS cluster

  • Region select us-west-2, and Cloud Credentials is cn-north-1, request get 403 response: ‘Failed to load Clusters from Amazon: The security token included in the request is invalid’. Result: Failed to load Amazon EKS Clusters and not able to go to next step.

  • Region select cn-north-1, and Cloud Credentials is cn-north-1, loading Amazon clusters correctly. Result: Successfully import an Amazon cluster in the rancher UI.

Adding Amazon EKS cluster with k8s provider

  • Region select us-west-2, and Cloud Credentials is cn-north-1, click next and request get 403 response: ‘InvalidClientTokenId: The security token included in the request is invalid’. Result: Not able to go to next step.

  • Region select cn-north-1, and Cloud Credentials is cn-north-1, click next, successfully go to the next step. Result: Fill out the Amazon EKS configuration, and the EKS cluster created successfully.

Edit Amazon EKS cluster

  • After Amazon EKS registered, open edit cluster UI, cluster and credential is cn-north-1, click next, successfully go to the next step. Result: Modify eks configuration, and eks cluster upgrade successfully.

Register/Adding Amazon EKS cluster with New Cloud Credentials

  • Region select us-west-2, click Add New, AK/SK fill in China aws AK/SK, request get 401 response: ‘401 AuthFailure: There was a problem validating your keys. Enter valid credentials and try again’. Result: Not able to go to next step.

  • Region select cn-north-1, click Add New, AK/SK fill in China aws AK/SK. Result: Create a Cloud Credentials and go to next step.

Test Passed.

+1
dingluyy on Apr 13, 2021

@niusmallnan 's team is going to help with verifying.

Thank you @niusmallnan !

+1
yasker on Apr 6, 2021
Read more comments on GitHub
← rancher: Not able to create ingresses on amazon ec2 node driver clusters in an HA rancher on 1.20 cluster
rancher: Not able to start services with stack scoped volumes in rancher-nfs →