After attempting to deploy a zero config Stack to GovCloud, I found that the runners were failing to be created due to an IAM issue. Here's a sanitized snippet from /var/log/gitlab-runner.log:
Jan 4 20:10:30 ip-REDACTED gitlab-runner: #33[31;1mERROR: Error creating machine: Error in driver during machine creation: Error request spot instance: UnauthorizedOperation: You are not authorized to perform this operation. User: arn:aws-us-gov:sts::REDACTED:assumed-role/GitLabRunnerStack-GitlabRunnerManagerRole2F9BC927-REDACTED/i-REDACTED is not authorized to perform: ec2:RequestSpotInstances on resource: arn:aws-us-gov:ec2:us-gov-west-1:REDACTED:subnet/subnet-REDACTED because no identity-based policy allows the ec2:RequestSpotInstances action.
Deeper inspection found the culprit at
|
"ec2:Vpc": `arn:aws:ec2:${Stack.of(this).region}:${Stack.of(this).account}:vpc/${ |
Whereas the
arn:aws prefix is hard-coded, the actual GovCloud ARN prefix is going to be
arn:aws-us-gov.
After attempting to deploy a zero config Stack to GovCloud, I found that the runners were failing to be created due to an IAM issue. Here's a sanitized snippet from
/var/log/gitlab-runner.log:Deeper inspection found the culprit at
cdk-autoscaling-gitlab-runner/src/runner/manager.ts
Line 162 in cd20c13
arn:awsprefix is hard-coded, the actual GovCloud ARN prefix is going to bearn:aws-us-gov.