Frequently Asked Questions

Find answers to common questions about Spot products:

• General
• Ocean
• Ocean for Apache Spark
• Elastigroup
• Elastigroup stateful node
• Eco

General

AWS, Azure, GCP: What regions does Spot support for my cloud provider?

AWS Regions

us-east-1, us-east-2, us-west-1, us-west-2, ca-central-1, sa-east-1, eu-central-1, eu-west-1, eu-west-2, eu-west-3, eu-north-1, ap-south-1, me-south-1, ap-southeast-1, ap-southeast-2, ap-northeast-1, ap-northeast-2, ap-east-1, cn-north-1, cn-northwest-1, ap-northeast-3, af-south-1, eu-south-1, us-gov-east-1, us-gov-west-1, cn-north-1, cn-northwest-1.

Supported products: Eco, CloudAnalyzer, Ocean, Elastigroup.

note

For Eco and CloudAnalyzer only, the following China regions are not supported:

• cn-north-1
• cn-northwest-1

For Eco, CUR bucket deployment is only supported in regions where the Opt-in Status is not required.

Azure Regions

australia-central, australia-central-2, australia-east, australia-south-east, brazil-south, canada-central, canada-east, central-india, central-us, east-asia, east-us, east-us-2, france-central, france-south, germany-central, germany-north, germany-north-east, germany-west-central, japan-east, japan-west, korea-central, korea-south, north-central-us, north-europe, norway-east, norway-west, south-africa-north, south-africa-west, south-central-us, south-east-asia, south-india, switzerland-north, switzerland-west, uae-central, uae-north, uk-south, uk-west, west-central-us, west-europe, west-india, us-gov-arizona, us-gov-texas, us-gov-virginia, west-us, west-us-2, west-us-3.

Supported products: Ocean, Elastigroup.

GCP Regions

us-east1, us-east1, us-east1, us-east4, us-east4, us-east4, us-central1, us-central1, us-central1, us-central1, us-west1, us-west1, us-west1, europe-west4, europe-west4, europe-west4, europe-west1, europe-west1, europe-west1, europe-west3, europe-west3, europe-west3, europe-west2, europe-west2, europe-west2, asia-east1, asia-east1, asia-east1, asia-southeast1, asia-southeast1, asia-southeast1, asia-northeast1, asia-northeast1, asia-northeast1, asia-south1, asia-south1, asia-south1, australia-southeast1, australia-southeast1, australia-southeast1, southamerica-east1, southamerica-east1, southamerica-east1, asia-east2, asia-east2, asia-east2, asia-northeast2, asia-northeast2, asia-northeast2, europe-north1, europe-north1, europe-north1, europe-west6, europe-west6, europe-west6, northamerica-northeast1, northamerica-northeast1, northamerica-northeast1, us-west2, us-west2, us-west2.

Supported products: Ocean, Elastigroup.

AWS, Azure, GCP: How are costs and savings calculated in the Spot console and the API?

Savings in the Spot API shows you the total cost of the cluster/group.

Savings in the Spot console (click the user icon > Settings > Savings) shows you how much you saved by using spot instances instead of on-demand instances:

• Potential cost is the price of the resource based on on-demand pricing.
• Actual cost is the actual payment made to the cloud provider after Ocean/EG optimization.
• Savings % is the percent of potential cost saved, calculated as (amount saved / potential cost) x 100.
• Amount saved is the difference between the potential cost (on-demand pricing) and the actual cost for the selected period.

AWS, Azure, GCP: What day of the month can I see my Spot bill?

You can see your invoice on the 15th of the following month. For example, to see data that includes April, you can view the invoices on or after May 15. The charge is about 3 business days after the invoice (around May 18).

Depending on holidays, the invoice and charges may be slightly delayed.

AWS, Azure, GCP: Where can I get the latest Spot and cloud provider news?

You can get information about releases and new features:

• Spot blog
• Spot news
• AWS blog
• AWS news
• Azure blog
• Azure news
• GCP blog
• GCP news

AWS, Azure, GCP: Can I edit my organization name or my Spot account name?

Yes, you can edit your:

• Organization name
• Spot account name

AWS: Why is my on-demand instance utilized as a reserved instance/savings plan?

When is an on-demand (OD) instance a reserved instance (RI), savings plan (SP), or full-priced on demand?

When launching an on-demand instance, you cannot specifically request it to run as a reserved instance or savings plan.

AWS decides according to:

1. If the market matches a free zonal reserved instance commitment, then the instance is a reserved instance.
2. If the market matches a free regional reserved instance commitment, then the instance is a reserved instance.
3. If the market matches a free EC2 instance savings plan commitment, then the instance is a savings plan.
4. If there is any free compute service plan commitment, then the instance is a savings plan.
5. Otherwise, the instance will run as a full-price on-demand instance.

Throughout the lifetime of an instance, it can change its “price” whenever there’s any change in the commitments utilization rate. For example, if an instance is running as a full price on-demand instance, and another instance that was utilizing a compute savings plan commitment was terminated, the first instance will start utilizing this commitment if its hourly price rate has enough free space under this commitment. It might take a couple of minutes for this change to show, but since the billing is being calculated retroactively, in practice it’s starting to utilize the commitment right away.

AWS: How are running hours calculated in the Spot console and AWS?

Running hours are calculated from the moment an instance is launched until it is detached and not terminated. AWS calculates the entire lifetime of the instance.

Here are some reasons for large differences between the numbers in the Spot Console and AWS:

• Groups of instances with long draining periods
• Shutdown scripts with long grace periods

AWS: Can I remove permissions from the Spot IAM policy?

You can choose to remove some of these permissions from the Spot IAM policy:

• iam:PutRolePolicy is not required as it is only used if the instance profile itself needs to create inline policies.

• iam:CreateServiceLinkedRole is only needed for an initial spot request, then it can be removed. This means it's only required to create the first spot instance in your account. After creating an Ocean or Elastigroup and launching a Spot instance through Spot, you can remove this permission from the policy.

• iam:AddRoleToInstanceProfile is generally not required. It is only used to change the role associated with an instance profile and is required for Beanstalk.

• iam:PassRole is only required when you custom metrics. Ocean EKS does not require iam:PassRole in the Spot policy. However, if you use custom metrics, you need an account with this role configured for putting metric data into CloudWatch, which is in use by both Ocean (PublishOceanKubernetesCwMetricsExecutor) and EG (ReportCWMetricsNewCmd).

AWS: What are the minimum permissions Spot needs to my AWS environment?

You can see the list of permissions required for Spot in Sample AWS policies.

AWS: Why am I getting an alert in CloudWatch that the AMI ID does not exist?

You might get this alert in CloudWatch:

"eventType": "AwsApiCall",
"error": {
"kind": "Client.InvalidAMIID.NotFound",
"message": "The image id '[ami-xxxxx]' does not exist"
},

This can happen if you have AWS resources that are not managed by Spot. Spot scans all regions for each account to show you how you can get savings. This information is shown in the Optimization dashboard.

Azure: Why isn’t the optimization dashboard showing data?

If data isn’t showing in the optimization dashboard, make sure you have:

• An Azure account connected to Spot with VMs running in Azure.
• A custom role and assigned it in IAM.
• A client secret in Spot.
• The correct Azure subscription ID and tenant ID.
• https://spot.io for the redirect URI.

GCP: Can I change the service account key for my GCP account?

You can reset your credentials using the set credentials for GCP API. It typically changes immediately. If it doesn’t, the service runs at the beginning of each hour.

Try launching an instance to see that it’s working correctly.

SSO: Why can't I sign in to the Spot console?

You may get an error when you try to sign in to the Spot console if:

• You’re using username/password when SSO is enabled for your organization.

  Signing in using username/password is turned off if SSO is set up for your organization. All users, including admins, must use SSO if it’s set up.

  You may have multiple organizations, some that use SSO and some that don’t:

• If your default organization has SSO, then you can only sign in using SSO. You can see your non-SSO organizations in the org list and switch to them.

• If your default organization doesn’t have SSO, then sign in with your username/password. When you switch to an org with SSO, you’ll get the SSO sign-in page.

• You’re using multiple-factor authentication (MFA) when SSO is set up for your organization.

  Signing in using MFA is turned off if SSO is set up for your organization.

• You’re using MFA when SSO is not set up for your organization.

  Make sure you’re using the correct MFA token for the organization you’re signing into. MFA tokens are specific to a user and an organization.

• (AWS) The username in AWS Active Directory doesn’t exactly match the email address in the Spot console.

  Make sure your Active Directory is using the same email address as the Spot console.

  You can access the users in the Spot console: click the user icon > Settings > Organization > Users.

• The Identifier (Entity ID) URL is not set up correctly. If the URL isn't correct, you might get this message when you sign in to the Spot console:

  AADSTS650056: Misconfigured application. This could be due to one of the following: the client has not listed any permissions for 'AAD Graph' in the requested permissions in the client's application registration. Or, the admin has not consented in the tenant. Or, check the application identifier in the request to ensure it matches the configured client application identifier. Or, check the certificate in the request to ensure it's valid. Please contact your admin to fix the configuration or consent on behalf of the tenant. Client app ID: Idl xxxxx.

  The Identifier (Entity ID) URL must be https://console.spotinst.com/auth/saml. It cannot be a different URL or blank.

  Delete the Spotinst app in Azure AD and recreate it with the correct URL.

SSO: What should be the SAML entity ID for the application?

The default entity ID is https://console.spotinst.com/auth/saml. If you need additional entity IDs, you can add a number at the end of the URL (for example, https://console.spotinst.com/auth/saml6).

SSO: What is the ACS URL?

The ACS URL is https://console.spotinst.com/auth/saml.

SSO: Can the SAML assertion sent back to the application (SP) be encrypted?

The SAML is Base64encoded by the IDP. Encrypted assertions such as AES-256-CBC and TRIPLEDES-CBC are not supported.

SSO: Can I change identity providers?

If you’re using the same email ID after the migration, you can update your identity provider:

1. Click the user icon > Settings > Security > Identify Providers.
2. Browse and upload a new metadata file (SAML doc).

If you use the same SAML configuration, existing user/token permissions will continue to work after changing identity providers.

SSO: What are the SingleLogoutService URLs?

Single log out service URLs are not supported. After logging in, users need to manually sign out using the Spot console.

SSO: What is the public X.509 certificate for signing and encryption?

The X.509 certificate needs to be a standard strength certificate (2048-bit) with the SHA-1 SAML signature algorithm. The IDP usually provides it as part of the application.

SSO: Where can I find the application SAML metadata in XML format?

The attributes that can be sent depend on your identify provider.

SSO: Why am I getting a user provisioning error in Okta?

You cannot sign in to your Spot org due to a user provisioning error in your Okta SSO environment. For example, you're getting one of these errors:

• Automatic provisioning of user {name of user} to app Spotinst failed: Matching user not found.

• Automatic profile push of user {name of user} to app Spotinst failed: Error while trying to push profile update for {user email}: No user returned for user {user id}

  These internal logging errors occur because of a misconfiguration in the Okta SSO environment.

  1. Make sure edit is set up for provisioning: a. Go to Okta Admin Console and click Applications > Spotinst > |Provisioning > To App. b. Click Edit and then Enable for Create Users, Update User Attributes, and Deactivate Users.

  2. Check for failed tasks: a. Go to the Okta Admin Console and navigate to Dashboard > Tasks. Look for failed provisioning assignments under Tasks. b. If there are failed tasks for the users who were getting errors, retry the tasks by selecting the task and then clicking Retry Selected.

     After retrying the failed tasks, the errors should be resolved and the users should have complete access to the Spotinst app after signing in using SSO. If there are no failed tasks associated with these users or if the issue isn’t resolved, unassign them.

  3. Unassign the users from the Spotinst app in Okta. Once unassigned, reassign these specific users to the Spotinst app.

SSO: If I delete a user in Okta, is the user deleted in the Spot console?

If you delete or deactivate a user in Okta, the user typically is not deleted or deactivated in the Spot console.

The exception is if you have Okta with system for cross-domain identity management (SCIM) and selected Deactivate Users in provisioning. In this case, the user will be deleted. All tokens for that user are also deleted.

SSO: How can I add a user to groups in an organization in Okta?

You can add a user to one or many user groups in an organization in Okta spotinst application:

1. Make sure Okta SAML 2.0 authentication is configured with Spot.

2. Sign in to Okta Admin, go to Directory > Profile Editor, and select Spotinst User.

3. Click Add Attribute and add a custom attribute:

   • Data Type: string
   • Display Name: OrgAndUserGroups
   • Variable Name: OrgAndUserGroups

4. Click Save.

5. In Okta Admin, go to Applications > Applications, and select Spotinst app.

6. On the Sign On tab, add this custom attribute under the SAML 2.0 settings:

   • Attribute Name: OrgAndUserGroups
   • Name Format: Unspecified
   • Value: appuser.OrgAndUserGroups

7. Generate a new certificate and upload it to your Spot Organization.

8. Add users to groups: a. For each user in your organization who needs to be assigned to groups, go to Okta Admin Directory > People. b. On the Applications tab, locate the Spotinst app and click Edit to add the OrgAndUserGroups:

   • For a single user: SPOTINST-{OrganizationID}:{UserGroupId}.

     For example: SPOTINST-606012345678:ugr-1234

   • Multiple UserGroupIds for the same organization are separated with a comma: SPOTINST-{OrganizationID}:{UserGroupId1},{UserGroupId2}.

     For example: SPOTINST-606012345678:ugr-1234,ugr-5678

SSO: What additional attributes (if any) does the application need from the assertion?

There are a number of attributes that can be sent. These are the default and required attributes:

• Relay State
• Email
• FirstName
• LastName

Why are existing users getting new verification emails?

Each time a user is added to an organization, the user gets a verification email from Spot. So if a user gets added to 3 organizations, they’ll receive 3 emails so they can confirm their email address all 3 times.

How can I see my open support tickets for Spot?

You can go to the Spot support center to submit requests and view ticket history.

Can I set up PagerDuty alerts from Spot?

You can set up PagerDuty alerts in Spot:

1. Set up PagerDuty email integration.
2. In the Spot console, click the user icon > Settings.
3. Click Notification Center > Event Policies.
4. Click on the name of the event policy to add the integration.
5. Go to Users & Integrations > Add Integration.
6. Select External Email and enter the PagerDuty email address. This allows Spot to send notifications to external email addresses. Any email sent to the PagerDuty email address will trigger a PagerDuty alert.

Can I set up OpsGenie alerts from Spot?

You can use email or webhook to integrate OpsGenie with the Spot notification center.

Email

Set up OpsGenie email integration and then configure the notifications in Spot:

• Using the console

  1. In the Spot console, click the user icon > Settings.
  2. Click Notification Center > Event Policies.
  3. Click on the name of the event policy to add the integration.
  4. Go to Users & Integrations > Add Integration.
  5. Select External Email and enter the OpsGenie email address. This allows Spot to send notifications to external email addresses. Any email sent to the OpsGenie email address will trigger an OpsGenie alert.

• Using the Spot API, add a notification. For example:

  "resourceId": "xxxxxxx",
  "protocol": "email ",
  "endpoint": "YOUR@EMAIL.COM",
  "eventType": "xxxxx",

• Using the Spot API, update a notification. For example:

  "resourceId": "xxxxxxx",
  "protocol": "email ",
  "endpoint": "YOUR@EMAIL.COM",
  "eventType": "xxxxx",

Webhook

1. Set up OpsGenie webhook integration.
2. In the Spot console, click the user icon > Settings.
3. Click Notification Center > Event Policies.
4. Click on the name of the event policy to add the integration.
5. Go to Users & Integrations > Add Integration.
6. Select Webhook and enter the URL address you created in OpsGenie (for example, https://api.opsgenie.com/v2/alerts).

Can I use JQ to extract data from an API call?

JQ is a tool that lets you extract, manipulate, and transform JSON data. You can use it extract data from an API call.

You can download JQ and use the online curl command line builder. Curl lets you interact with web services, APIs, and services using command line.

For curl, use this template:

 curl -X GET '{URL}' \
 -H 'Authorization: Bearer {TOKEN}' \
 -H 'Content-Type: application/json'

For example:

• Get the value of the maximum number of instances set in an Elastigroup using CLI

  • Use this API: /api/#tag/Elastigroup-AWS/operation/elastigroupAwsListElastigroup
  • Enter this in JQ:

      curl -X GET 'https://api.spotinst.io/aws/ec2/group/{groupID}' \
    -H 'Authorization: Bearer {token}' \
    -H 'Content-Type: application/json' | jq '.response.items[0].capacity.maximum'

• Get the cluster-ocean id by cluster name

  • Use this API: /api/#tag/Ocean-AWS/operation/OceanAWSClusterList
  • Enter this in JQ:

      curl –X GET 'https://api.spotinst.io/ocean/aws/k8s/cluster?accountId={accountID}' \
      -H 'Authorization: Bearer {token}' \
      -H 'Content-Type: application/json'
       | jq '.response.items[] | select(.controllerClusterId | contains("{cluster-name}")) | .id'

How long before I get signed out of the Spot console (idle)?

After 12 hours of inactivity, you get signed out of the Spot console.

Can I integrate Spotinst SDK with AWS Lambda?

The Spotinst SDK library is supported just like any other Python package.

Spotinst-sdk2 is not part of the default PyPl. You need to create a deployment package with it to use it in the Lambda function:

1. Create a ZIP deployment package with dependencies. Make sure that all dependencies and Lambda functions are at the same level, zipped together, and uploaded.
2. Update the default timeout for the Lambda function to 60 seconds.

Which type of key/token should I create to connect resources (APIs) to Spot?

You can create tokens:

• Programmatic tokens for APIs and connecting your services to Spot.
• Personal tokens. If you choose to use a personal key and that user is removed from Spot, any tokens created for that user won’t be valid. This will cause some of your services and APIs to fail.

Can I move an existing token to a different user?

No, it’s not possible to transfer an existing token between users.

You should use programmatic tokens for APIs and connecting your services to Spot.

Can I see who owns a token and what permissions it has?

You can see which user owns a token and the permissions:

1. In the Spot console, click the user icon > Settings > API > Permanent Tokens.
2. You can see the permissions for a token by clicking Organizations > Users.
3. Find the user in the list who created the token and see what the permissions are.