EC2 InvalidVpcEndpointServiceAllowedPrincipalID.NotFound

What is EC2 InvalidVpcEndpointServiceAllowedPrincipalID.NotFound

Understanding Amazon EC2 and VPC Endpoint Services

Amazon Elastic Compute Cloud (EC2) is a web service that provides secure, resizable compute capacity in the cloud. It is designed to make web-scale cloud computing easier for developers. A VPC Endpoint Service allows you to create a private connection between your VPC and another AWS service without requiring an internet gateway, NAT device, VPN connection, or AWS Direct Connect connection.

Identifying the Symptom

When working with VPC Endpoint Services in EC2, you might encounter the error code InvalidVpcEndpointServiceAllowedPrincipalID.NotFound. This error indicates that the specified VPC endpoint service allowed principal ID does not exist or is incorrect.

What You Observe

When attempting to add or modify a VPC endpoint service, you receive an error message stating that the allowed principal ID is not found. This prevents you from successfully configuring the endpoint service.

Explaining the Issue

The error InvalidVpcEndpointServiceAllowedPrincipalID.NotFound occurs when the principal ID specified in your request is not recognized by the system. This could be due to a typo, an incorrect ID, or the principal being removed from the AWS account.

Common Causes

The principal ID is incorrectly typed or formatted. The principal ID refers to a user or role that no longer exists. The principal ID is not associated with the correct AWS account.

Steps to Resolve the Issue

To resolve the InvalidVpcEndpointServiceAllowedPrincipalID.NotFound error, follow these steps:

1. Verify the Principal ID

Ensure that the principal ID you are using is correct. Double-check the ID for any typos or formatting errors. You can find the correct principal ID in the AWS Management Console under the IAM section.

2. Check Principal Existence

Confirm that the principal (user or role) still exists in your AWS account. Navigate to the IAM Console and verify that the principal is listed and active.

3. Update the Endpoint Service

If the principal ID was incorrect, update your VPC endpoint service configuration with the correct ID. Use the AWS CLI or Management Console to make the necessary changes. For example, using the AWS CLI:

aws ec2 modify-vpc-endpoint-service-permissions --service-id vpce-svc-0123456789abcdef --add-allowed-principals arn:aws:iam::123456789012:role/ExampleRole

4. Review IAM Policies

Ensure that the IAM policies associated with the principal allow access to the VPC endpoint service. Adjust the policies if necessary to grant the required permissions.

Additional Resources

For more information on managing VPC endpoint services, refer to the AWS VPC Endpoint Services Documentation. If you continue to experience issues, consider reaching out to AWS Support for further assistance.