I have a step of action of type aws:runCommand. It runs for 14+ hours. Everything runs successfully, but when the step attempts to complete, I get this error:
Automation Step Execution fails when it is verifying the command has completed. Get Exception from ListCommands API of ssm Service. Exception Message from ListCommands API: [The security token included in the request is expired (Service: AWSSimpleSystemsManagement; Status Code: 400; Error Code: ExpiredTokenException; Request ID: ...; Proxy: null)]. Please refer to Automation Service Troubleshooting Guide for more diagnosis details
I've attempted to refresh the token by having the last step in my script be aws sts assume-role --role-arn arn:aws:iam::<account_id>:role/<role_name_attached_to_instance> --role-session-name <some_name>.
After this, I can run aws ssm list-commands --command-id <command_id> on the instance and I am not blocked by permissions. I see data data.
If the instance can talk to SSM, I'm not sure why I'm getting this error.
Related
I'm trying to create ECS Fargate deployment using Cloudformation script, but the script fails during creation of ECS Cluster with error saying that unable to assume service role. I'm not able to figure out what I'm missing in the script, I have tried many ways none of them seem to be working.
Here is the link to cloud formation script as I'm not able to post it here due to character limitation.
ECS Cloudformation script
the error where the resource creation fails.
Resource handler returned message: "Invalid request provided: CreateCluster Invalid Request: Unable to assume the service linked role. Please verify that the ECS service linked role exists. (Service: AmazonECS; Status Code: 400; Error Code: InvalidParameterException; Request ID: e08ab312-4bd8-4c21-852f-ae5d49cc5932; Proxy: null)" (RequestToken: a686f226-e1d3-7b4c-13f1-66fa0a516c51, HandlerErrorCode: InvalidRequest
I'm able to get it working if I create an ECS cluster from aws console, as it creates a service liked role. But I want to work without creating the cluster manually from Console, enerything building up from Cloudformation. I tried looking over aws docs and did dig up Internet but couldn't get it working.Can anyone please help me out.
I would like to know how to search details when error is vague in AWS. In below example I would like to know which permission is missing or which operation was performed.
Terminated with errors
Service role bundle-release-import-AWSDataPipelineRole has insufficient EC2 permissions.
EC2 Message: AmazonEC2Exception: You are not authorized to perform this operation.
(Service: AmazonEC2; Status Code: 403; Error Code: UnauthorizedOperation;
Request ID: e2614d7b-ef8f-467d-81cf-14ee9c4671c8; Proxy: null)
You can use:
Option 1: Use Athena queries to troubleshoot IAM permission API call failures by searching AWS CloudTrail logs
Option 2: Use the AWS CLI to troubleshoot IAM permission API call failures
for more details on how to implement each option you can refer to the article below
https://aws.amazon.com/premiumsupport/knowledge-center/troubleshoot-iam-permission-errors/
On Execution of command below from AWS Cloud9
copilot app delete
Getting message as :
execute svc delete: delete service: delete stack demoappone-test-lbdemoappone: InvalidClientTokenId: The security token included in the request is invalid
status code: 403, request id: 5001e2d0-3bbc-4821-911c-27713af4f2f9
AWS Cloud9 points to document https://docs.aws.amazon.com/cloud9/latest/user-guide/welcome.html .
Do we know how to solve above 403 error?
This appears to be because Cloud9 has a limited set of allowed actions that're supported for AWS managed temporary credentials. (For the troubleshooting guide: link)
The way that the ECS workshop gets around it is by creating and storing access credentials in the environment: sample solution. (For the Cloud9 guide: link)
I am running into a strange issue with aws's dynamoDB.
Regularly the dynamoDB aws UI and API calls return the following error:
The AWS Access Key Id needs a subscription for the service
I have a feeling that it's an aws related issue since it happens in the UI and only about 1 in 10 api calls fail with the message. Any suggested solutions would be appreciated.
API Error:
An uncaught Exception was encountered
Type: Aws\DynamoDb\Exception\DynamoDbException
Message: Error executing "PutItem" on "https://dynamodb.us-west-2.amazonaws.com"; AWS HTTP error: Client error: `POST https://dynamodb.us-west-2.amazonaws.com` resulted in a `400 Bad Request` response: {"__type":"com.amazon.coral.service#SubscriptionRequiredException","message":"The AWS Access Key Id needs a subscription (truncated...) SubscriptionRequiredException (client): The AWS Access Key Id needs a subscription for the service - {"__type":"com.amazon.coral.service#SubscriptionRequiredException","message":"The AWS Access Key Id needs a subscription for the service"}
UI error:
The AWS Access Key Id needs a subscription for the service (Service: AmazonDynamoDBv2; Status Code: 400; Error Code: SubscriptionRequiredException; Request ID: ...
After some research, I believe the "The AWS Access Key Id needs a subscription for the service" error is caused by old accounts created when you had to opt in to each individual service.
See this forum post, forums.aws.amazon.com/message.jspa?messageID=609804, for more info.
After creating a completely new AWS account I haven't received the error once, still waiting to see if it can be resolved in my older account.
I'm trying to just test out AWS s3 with eclipse using Java, I'm just trying to execute the Amazon s3 sample, but it doesn't recognise my credentials, and I'm sure my credentials are legitimate, it gives me the following error:
===========================================
Getting Started with Amazon S3
===========================================
Listing buckets
Caught an AmazonServiceException, which means your request made it to Amazon S3, but was rejected with an error response for some reason.
Error Message: Status Code: 403, AWS Service: Amazon S3, AWS Request ID: 057D91D336C1FASC, AWS Error Code: InvalidAccessKeyId, AWS Error Message: The AWS Access Key Id you provided does not exist in our records.
HTTP Status Code: 403
AWS Error Code: InvalidAccessKeyId
Error Type: Client
Request ID: 057D91D336C1FASC
a little update here:
so there's a credential file that aws creates in the computer system. mine case was '/Users/macbookpro/.aws/credentials'
the file in this place decides the default accessKeyId and stuff.. go ahead and update it.
So I ran into the same issue, but i think i figured it out.
I was using Node.js, but i think the problem should be the same since it's how they have structured their object was the issue.
in javascript if you run this in the backend,
var aws = require('aws-sdk');
aws.config.accessKeyId= "Key bablbalab"
console.log(aws.config.accessKeyId)
you will find it prints out something different. coz the correct way of setting the accessKeyId isn't what they have provided in the official website tutorial
aws.config.accessKeyId="balbalb"
or
aws.config.loadFromPath = ('./awsConfig.json')
or any of that.
If you log the entire "aws.config", you will find the correct way is
console.log(aws.config)
console.log(aws.config.credentials.secretAccessKey)
aws.config.credentials.secretAccessKey="Key balbalab"
you see the structure of the object? there's the inconsistence