Bootstrap FreeKB - Amazon Web Services (AWS) - Resolve AWS CLI hanging
Amazon Web Services (AWS) - Resolve AWS CLI hanging


This assumes you have already configured the aws command line tool. If not, check out my article on Getting Started with the AWS CLI.

Let's say you issue an AWS command and it hangs indefinitely. Perhaps you are trying to list your Simple Notification Service (SNS) Topics using the aws sns list-topics command, and the console hangs indefinitely.

~]# aws sns list-topics

 

This may be because you have a Virtual Private Cloud (VPC) Endpoint and the Security Group attached to the VPC Endpoint is NOT allowing connections on HTTPs port 443. The aws ec2 describe-vpc-endpoints command can be used to list your Virtual Private Cloud (VPC) Endpoints.

aws ec2 describe-vpc-endpoints

 

If you have one or more Virtual Private Cloud (VPC) Endpoints, something like this should be returned.

{
    "VpcEndpoints": [
        {
            "VpcEndpointId": "vpce-04d97fbff2f4e862f",
            "VpcEndpointType": "Interface",
            "VpcId": "vpc-0a9d4cb29e2748444",
            "ServiceName": "com.amazonaws.us-east-1.execute-api",
            "State": "available",
            "PolicyDocument": "{\n  \"Statement\": [\n    {\n      \"Action\": \"*\", \n      \"Effect\": \"Allow\", \n      \"Principal\": \"*\", \n      \"Resource\": \"*\"\n    }\n  ]\n}",
            "RouteTableIds": [],
            "SubnetIds": [
                "subnet-0f015da3a1e164304",
                "subnet-0d2d8580c46d6d280"
            ],
            "Groups": [
                {
                    "GroupId": "sg-083870552fd33fe48",
                    "GroupName": "my-security-group"
                }
            ],
            "IpAddressType": "ipv4",
            "DnsOptions": {
                "DnsRecordIpType": "ipv4"
            },
            "PrivateDnsEnabled": true,
            "RequesterManaged": false,
            "NetworkInterfaceIds": [
                "eni-0098d642e37e30d56",
                "eni-08d3040baf7098795"
            ],
            "DnsEntries": [
                {
                    "DnsName": "vpce-04d97fbff2f4e862f-ixh4mx4z.execute-api.us-east-1.vpce.amazonaws.com",
                    "HostedZoneId": "Z7HUB22UULQXV"
                },
                {
                    "DnsName": "vpce-04d97fbff2f4e862f-ixh4mx4z-us-east-1b.execute-api.us-east-1.vpce.amazonaws.com",
                    "HostedZoneId": "Z7HUB22UULQXV"
                },
                {
                    "DnsName": "vpce-04d97fbff2f4e862f-ixh4mx4z-us-east-1a.execute-api.us-east-1.vpce.amazonaws.com",
                    "HostedZoneId": "Z7HUB22UULQXV"
                },
                {
                    "DnsName": "execute-api.us-east-1.amazonaws.com",
                    "HostedZoneId": "Z003023633IKP4QCN263F"
                },
                {
                    "DnsName": "*.execute-api.us-east-1.amazonaws.com",
                    "HostedZoneId": "Z003023633IKP4QCN263F"
                }
            ],
            "CreationTimestamp": "2024-04-29T05:21:17.539000+00:00",
            "Tags": [
                {
                    "Key": "Name",
                    "Value": "my-endpoint"
                }
            ],
            "OwnerId": "123456789012"
        }
    ]

 

Notice in this example that the Virtual Private Cloud (VPC) Endpoint is associated with the Security Group named my-security-group.

            "Groups": [
                {
                    "GroupId": "sg-083870552fd33fe48",
                    "GroupName": "my-security-group"
                }
            ],

 

The aws ec2 describe-security-groups command can be used to determine if the Security Group is allowing incoming connections on HTTPS port 443.

aws ec2 describe-security-groups --query 'SecurityGroups[?GroupName==`my-security-group`]'

 

Something like this should be returned.

[
    {
        "Description": "my-security-group",
        "GroupName": "my-security-group",
        "IpPermissions": [
            {
                "FromPort": 443,
                "IpProtocol": "tcp",
                "IpRanges": [
                    {
                        "CidrIp": "0.0.0.0/0"
                    }
                ],
                "Ipv6Ranges": [],
                "PrefixListIds": [],
                "ToPort": 443,
                "UserIdGroupPairs": []
            }
        ],
        "OwnerId": "123456789012",
        "GroupId": "sg-083870552fd33fe48",
        "IpPermissionsEgress": [
            {
                "IpProtocol": "-1",
                "IpRanges": [
                    {
                        "CidrIp": "0.0.0.0/0"
                    }
                ],
                "Ipv6Ranges": [],
                "PrefixListIds": [],
                "UserIdGroupPairs": []
            }
        ],
        "VpcId": "vpc-014d2fcfa335d3c01"
    }
]

 

If the Security Group is not allowing connections on HTTPS port 443, the aws ec2 authorize-security-group-ingress command can be sed to update the Security Group to allow incoming requests on HTTPS port 443.

aws ec2 authorize-security-group-ingress --group-id sg-083870552fd33fe48 --protocol tcp --port 443 --cidr 0.0.0.0/0

 




Did you find this article helpful?

If so, consider buying me a coffee over at Buy Me A Coffee



Comments


Add a Comment


Please enter 55d4cb in the box below so that we can be sure you are a human.