[AWS] Add identity info when check fails #2456
Conversation
| 'likely due to permission issues, please check the minimal ' | ||
| 'permission required for AWS: https://skypilot.readthedocs.io/en/latest/cloud-setup/cloud-permissions/aws.html' # pylint: disable= | ||
| 'Failed to fetch the availability zones for the account ' | ||
| f'{identity}. It is likely due to permission issues, please ' |
There was a problem hiding this comment.
| f'{identity}. It is likely due to permission issues, please ' | |
| f'{identity!r}. It is likely due to permission issues, please ' |
There was a problem hiding this comment.
This should be a list of strings. We probably don't want to add !r
Co-authored-by: Zongheng Yang <zongheng.y@gmail.com>
…lot into add-identity-in-check
| 'Please ensure that the `ec2:DescribeAvailabilityZones` ' | ||
| 'action is enabled for your AWS account in IAM. ' | ||
| 'Ref: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeAvailabilityZones.html' # pylint: disable=line-too-long | ||
| 'Ref: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeAvailabilityZones.html.\n' # pylint: disable=line-too-long |
There was a problem hiding this comment.
Some more detail on this raise would be good - currently just recieve the error: "Details: [botocore.exceptions.ClientError] An error occurred (UnauthorizedOperation) when calling the DescribeAvailabilityZones operation: You are not authorized to perform this operation."
despite: aws ec2 describe-availability-zones working fine.
Can you log the account at this point also?
There was a problem hiding this comment.
Thanks for the comment @TRT-BradleyB! The upper-level caller in the aws.py should log the identity information as modified above. Do you see that message when running sky check?
There was a problem hiding this comment.
I did think that was the intention, this is the extent of the message I recieve:
RuntimeError: Failed to retrieve availability zones. Please ensure that the `ec2:DescribeAvailabilityZones` action is enabled for your AWS account in IAM. Ref: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeAvailabilityZones.html.
Details: [botocore.exceptions.ClientError] An error occurred (UnauthorizedOperation) when calling the DescribeAvailabilityZones operation: You are not authorized to perform this operation.
There was a problem hiding this comment.
Hmm, this is weird. I did see the following messages when running sky check, where the first line of the Reason shows the account info:
$ sky check
Checking credentials to enable clouds for SkyPilot.
Checking AWS...I 08-24 10:09:34 aws_catalog.py:79] Fetching availability zones mapping for AWS...
AWS: disabled
Reason: Failed to fetch the availability zones for the account ['my-account', 'my-account']. It is likely due to permission issues, please check the minimal permission required for AWS: https://skypilot.readthedocs.io/en/latest/cloud-setup/cloud-permissions/aws.html
Details: [builtins.RuntimeError] Failed to retrieve availability zones. Please ensure that the `ec2:DescribeAvailabilityZones` action is enabled for your AWS account in IAM. Ref: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeAvailabilityZones.html. Details: [botocore.exceptions.ClientError] ...Just to confirm, is the error you shown from sky check?
There was a problem hiding this comment.
Ah - no that's my bad I was running sky launch - check indeed has it.
There was a problem hiding this comment.
Thanks for confirming! Merging this for now, and we can continue the discussion in #2451 for the availability zones permission issue. ; )
This adds more observability for #2451
Tested (run the relevant ones):
bash format.shpytest tests/test_smoke.pypytest tests/test_smoke.py::test_fill_in_the_namebash tests/backward_comaptibility_tests.sh