Unable to create AWS EKS cluster with eksctl

2
votes

Unable to create AWS EKS cluster with eksctl from Windows 10 PC. Here is the command which I'm executing

eksctl create cluster --name revit --version 1.17 --region ap-southeast-2 --fargate

Version of eksctl: 0.25.0

AWS CLI Version: aws-cli/2.0.38 Python/3.7.7 Windows/10 exe/AMD64

Error on executing create cluster command

2020-08-08T19:05:35+10:00 [ℹ]  eksctl version 0.25.0
2020-08-08T19:05:35+10:00 [ℹ]  using region ap-southeast-2
2020-08-08T19:05:35+10:00 [!]  retryable error (RequestError: send request failed
caused by: Put "http://169.254.169.254/latest/api/token": dial tcp 169.254.169.254:80: connectex: A socket operation was attempted to an unreachable network.) from ec2metadata/GetToken - will retry after delay of 54.121635ms
2020-08-08T19:05:35+10:00 [!]  retryable error (RequestError: send request failed
caused by: Put "http://169.254.169.254/latest/api/token": dial tcp 169.254.169.254:80: connectex: A socket operation was attempted to an unreachable network.) from ec2metadata/GetToken - will retry after delay of 86.006168ms
2
amazon-web-servicesamazon-ekseksctl
github.com/weaveworks/eksctl/issues/1979#issuecomment-629962708Amit Baranes

2 Answers

2
votes

I had the same error, I've got rid of it proving my AWS credentials for programmatic access (AWS Access Key ID, AWS Secret Access Key):

$ aws configure

Next time I used eksctl it just didn't try to authenticate on its own and command passed.

0
votes

I suspect this is related to this: https://aws.amazon.com/blogs/security/defense-in-depth-open-firewalls-reverse-proxies-ssrf-vulnerabilities-ec2-instance-metadata-service/

Specifically:

Protecting against open layer 3 firewalls and NATs Last, there is a final layer of defense in IMDSv2 that is designed to protect EC2 instances that have been misconfigured as open routers, layer 3 firewalls, VPNs, tunnels, or NAT devices. With IMDSv2, the PUT response containing the secret token will, by default, not be able to travel outside the instance. This is accomplished by having the default Time To Live (TTL) on the low-level IP packets containing the secret token set to “1,” much lower than a typical value, such as “64.” Hardware and software that handle packets, including EC2 instances, subtract 1 from each packet’s TTL field whenever they pass it on. If the TTL gets to 0, the packet is discarded, and an error message is sent back to the sender. A packet with a TTL of “64” can therefore make sixty-four “hops” in a network before giving up, while a packet with a TTL of “1” can exist in just one. This feature allows legitimate traffic to get to an intended destination, but is designed to stop packets from endlessly running around in circles if there’s a loop in a network.

Are you by any chance running the command above from within a container launched in bridge mode? I had a similar problem. If that is the case you could run it using --network host or by passing the creds as system variables.