Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ec2 create-vpc-endpoint fails to create an AWS service interface endpoint when both the full service-name and service-region are specified #9216

Closed
1 task
marcus-jameson opened this issue Jan 16, 2025 · 3 comments
Closed
1 task

ec2 create-vpc-endpoint fails to create an AWS service interface endpoint when both the full service-name and service-region are specified #9216

marcus-jameson opened this issue Jan 16, 2025 · 3 comments
Assignees
@RyanFitzSimmonsAK
Labels
bug This issue is a bug. ec2 p2 This is a standard priority issue response-requested Waiting on additional info and feedback. Will move to "closing-soon" in 7 days.

Comments

@marcus-jameson
Copy link

Describe the bug

When attempting to create a VPC endpoint of type Interface for an AWS service the operation fails when both service-name and service-region are specified, even if they are in alignment.

Regression Issue

  • Select this option if this issue appears to be a regression.

Expected Behavior

When creating a VPC interface endpoint for an AWS service, if both service-name and service-region are included in the request and both reference the same region the request should not be blocked by the presence of service-region. Alternatively, if the intended behavior is to discourage the use of these options in combination then either the call should fail with a message that is more helpful than "An internal error has occurred" and ideally the documentation should be updated to mention the conflict between these two options.

Current Behavior

Example command with redacted resource IDs:

aws ec2 create-vpc-endpoint --profile=example \
  --vpc-endpoint-type Interface \
  --vpc-id vpc-0000000000000000 \
  --service-name com.amazonaws.eu-west-1.sts \
  --subnet-ids subnet-0000000000000000 \
  --security-group-id sg-0000000000000000 \
  --tag-specifications "ResourceType=vpc-endpoint,Tags=[{Key=Name,Value=example}]" \
  --service-region=eu-west-1

Result:

An error occurred (InternalError) when calling the CreateVpcEndpoint operation (reached max retries: 2): An internal error has occurred

The full output from this command (with resource IDs & security tokens redacted) run in debug mode is included in the attached file, debug-logs.txt.

Reproduction Steps

The only prerequisites are access to an AWS account with a default VPC and IAM access to create the VPC endpoint. The error can be created with a minimal setup referencing the default VPC. Using eu-west-1 as an example region:

aws ec2 create-vpc-endpoint --profile=example \
  --vpc-endpoint-type Interface \
  --vpc-id vpc-0000000000000000 \
  --service-name com.amazonaws.eu-west-1.sts \
  --service-region=eu-west-1

Possible Solution

No response

Additional Information/Context

No response

CLI version used

aws-cli/2.23.0 Python/3.12.8 Darwin/24.2.0 source/arm64

Environment details (OS name and version, etc.)

macOS 15.2
@marcus-jameson marcus-jameson added bug This issue is a bug. needs-triage This issue or PR still needs to be triaged. labels Jan 16, 2025
@RyanFitzSimmonsAK RyanFitzSimmonsAK self-assigned this Jan 28, 2025
@RyanFitzSimmonsAK RyanFitzSimmonsAK added investigating This issue is being investigated and/or work is in progress to resolve the issue. ec2 p2 This is a standard priority issue and removed needs-triage This issue or PR still needs to be triaged. labels Jan 28, 2025
@RyanFitzSimmonsAK
Copy link
Contributor

Hi @marcus-jameson, thanks for reaching out . I wasn't able to reproduce this behavior. In my testing, I was able to successfully create a VPC endpoint with both service-name and service-region specified. Could you verify if you're using a shared subnet?

@RyanFitzSimmonsAK RyanFitzSimmonsAK added response-requested Waiting on additional info and feedback. Will move to "closing-soon" in 7 days. and removed investigating This issue is being investigated and/or work is in progress to resolve the issue. labels Jan 28, 2025
@marcus-jameson
Copy link
Author

Hi @RyanFitzSimmonsAK, thanks for following up. I just re-tested using the same conditions and am also not able to reproduce the issue anymore. I can verify that I was not using a shared subnet. I originally encountered the issue writing a terraform module which created both the VPC and subnets alongside the desired service endpoints before then reproducing it with the CLI directly. All that said, I'm no longer able to recreate the error with either the CLI or terraform, so I see no reason to keep it open.

@github-actions GitHub Actions
Copy link

This issue is now closed. Comments on closed issues are hard for our team to see.
If you need more assistance, please open a new issue that references this one.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@RyanFitzSimmonsAK RyanFitzSimmonsAK

Labels
bug This issue is a bug. ec2 p2 This is a standard priority issue response-requested Waiting on additional info and feedback. Will move to "closing-soon" in 7 days.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@marcus-jameson @RyanFitzSimmonsAK