Hello,
we have an issue while connecting an AWS account in octopus deploy. it shows unable to connect to sts.amazonaws.com:443
we have no internet opened from the octopus deploy server
Kindly suggest us
Hi @yogitha.kakarla,
Thanks for reaching out, welcome to the community!
Typically access to STS does require an internet connection to use, however you can configure a VPC endpoint for STS so that it doesn’t require a public connection. In my opinion the AWS documentation does a great job at explaining how to create one and why it’s required.
If you have already configured this and are still experiencing this issue, I’d be more than happy to take a deeper look into what’s going on.
Feel free to let me know how you get on or if you have any questions!
Best Regards,
Hi,
Yes , we have already configured this (a VPC endpoint for STS ) still we are facing the issue
Kindly guide us. we are stuck with a production deployment .
Thanks,
Yogitha
Hi @yogitha.kakarla,
Thanks for confirming that and providing that additional information!
I’d just like to confirm if you have configured the instance to use the matching regional endpoint to send the AWS STS requests? I believe this can be configured via an Environment Variable changing the AWS CLI to always use the regional endpoint rather than the global one:
AWS_STS_REGIONAL_ENDPOINTS = regional
The AWS documentation here and here describes using this variable, let me know if that helps!
Best Regards,
Hi @yogitha.kakarla,
Apologies, I had missed that the default value for this variable is already ‘regional’ so that’s unlikely to resolve the issue!
I’ve reached out internally for some ideas and will keep you posted with any updates.
Best Regards,
Hello,
Do we have any update on this as we got stuck with production deployments please
Hi @yogitha.kakarla,
Just an update, I’ve just finished reproducing this issue but haven’t yet been able to find a viable workaround.
I don’t believe this will be able to be resolved quickly and will most likely require some code changes which will need to be planned appropriately.
You could still use Octopus to perform the desired actions using the Run a Script step (using the AWS CLI you can leverage the --endpoint-url flag to configure the regional endpoint to use instead of the global one.)
Unfortunately at this stage it looks like Octopus Server will need internet access to add an AWS Account.
Feel free to let me know if you have any questions, I’ll let you know if I have any updates or workarounds.
Best Regards,
Hello,
Thanks for the update.
Unfortunately at this stage it looks like Octopus Server will need internet access to add an AWS Account.— At this point ,Can you please let us know which URL can be opened from proxy so that we could connect .Please do let us know that particular url to be opened for this purpose as of now
Thanks,
Yogitha
Hi Yogitha,
Octopus will need to authenticate with the AWS instance, so, the main URL will be your AWS instance URL.
It would be worth monitoring the proxy logs when configuring and testing the account within Octopus to see if there are any other AWS URLs that it attempts to use and are being blocked.
Regards,
Paul
Hello,
We have checked the proxy logs and tried opening the URL’s , but still it did not work
Thanks,
Yogitha
Would you be able to provide the error that you’re seeing when testing this?
As the issue seems to be occurring at a network level outside of Octopus, we are limited in the advice we can offer due to everyone’s network being different.
It does look like something on the network is blocking the traffic still.
You’ll need to work with your network team to troubleshoot where the problem is occurring. It may be easier to make use of the AWS CLI whilst doing this testing rather than testing through Octopus.
Hello
we have tried checking from aws cli using command and it worked
Request to have a look and suggest us
Hi @yogitha.kakarla,
Thanks for testing that.
Can I please confirm that the test you performed in your screenshot was from the same machine that the Octopus Server is running from and under the same user account that the Octopus Server Service is running on?
This would ensure a 1:1 test with the only difference being running via Octopus.
Please let me know if this is the case and you were able to successfully connect with the above conditions.
Kind Regards,
Adam
Hello,
Can we have updates on this please.
Good morning @yogitha.kakarla,
Sorry to hear you are still having issues, we will continue to look into this further but in the meantime are you able to check if your Octopus Server has a proxy configured in the application settings?
Are you also able to set up a continuous ping via CMD to the sts.amazonaws.com:443 link via the Octopus Server, this would show if you can connect to it and if that connection is stable. We have another ticket in on the forums similar to this where a customers network connection keeps dropping and so sometimes it connects to their Tentacles and sometimes it doesn’t.
It would be good to understand if this is possibly happening on your instance or not (for the AWS verification), which may explain why you can connect via CLI when you try but then Octopus cannot connect to verify.
We will keep you posted on our findings, this does seem to point to a network connection issue and so will be difficult to pinpoint from our end, as Paul suggested earlier everyone’s network is different but we will try and get to the bottom of this with you.
Let us know your findings on the Ping and if you have set up the Proxy via the Octopus Manager, if there is anything else you need in the meantime please reach out,
Kind Regards,
Clare Martin
Hello,
We have not setup any proxy setting in Octopus
And ping sts.amazonaws.com shows request timed out from octopus server
Thanks,
Yogitha
Hi @yogitha.kakarla,
It would appear from the request timing out on a ping to sts.amazonaws.com that there are indeed network issues blocking your Octopus Server from contacting the correct endpoints.
Pinging sts.amazonaws.com should show similar to the following:
Are you able to check with your network team on enabling a connection to that endpoint?
Kind Regards,
Adam