I enabled a new AWS region (Africa, Cape Town)
I created a new lambda on the new region. I connected the mentioned lambda to my API-Gateway located in Frankfurt region and when trying to access it, there is a internal server error.
CloudWatch shows the following:
(ee2d73a9-e0ff-4ba2-a445-4348e86bcfc1) Lambda invocation failed with status: 403. Lambda request id: ed3b6fc8-0959-4f43-8c3c-32d6c811e9f2
(ee2d73a9-e0ff-4ba2-a445-4348e86bcfc1) Execution failed due to configuration error: The security token included in the request is invalid
However, when I create another API Gateway in Africa, I can only access African Lambdas, and I get the same error trying to access anything outside Africa.
Any solutions?
Related
We are calling the K8S API to get version of the cluster.
The URL is https://:443/version .
But the HTTP request is failing with this error - GET request to the remote host failed [HTTP-Code: 401]: {"kind":"Status","apiVersion":"v1","metadata":{},"status":"Failure","message":"Unauthorized","reason":"Unauthorized","code":401}
This call is working in other AWS regions for ex us-east-2(ohio), us-east-1, ap-south-1 etc. But specifically failing in this region.
I have checked IAM console this region is enables for STS service
While calling the K8S API we are passing STS token (with standard AWS signature calculation).
So I am not getting why it is failing in only a specific region?
I can access that cluster using AWS EKS CLI. All the operations on that cluster are working fine. kubectl is also in working state.
On Execution of command below from AWS Cloud9
copilot app delete
Getting message as :
execute svc delete: delete service: delete stack demoappone-test-lbdemoappone: InvalidClientTokenId: The security token included in the request is invalid
status code: 403, request id: 5001e2d0-3bbc-4821-911c-27713af4f2f9
AWS Cloud9 points to document https://docs.aws.amazon.com/cloud9/latest/user-guide/welcome.html .
Do we know how to solve above 403 error?
This appears to be because Cloud9 has a limited set of allowed actions that're supported for AWS managed temporary credentials. (For the troubleshooting guide: link)
The way that the ECS workshop gets around it is by creating and storing access credentials in the environment: sample solution. (For the Cloud9 guide: link)
I am running into a strange issue with aws's dynamoDB.
Regularly the dynamoDB aws UI and API calls return the following error:
The AWS Access Key Id needs a subscription for the service
I have a feeling that it's an aws related issue since it happens in the UI and only about 1 in 10 api calls fail with the message. Any suggested solutions would be appreciated.
API Error:
An uncaught Exception was encountered
Type: Aws\DynamoDb\Exception\DynamoDbException
Message: Error executing "PutItem" on "https://dynamodb.us-west-2.amazonaws.com"; AWS HTTP error: Client error: `POST https://dynamodb.us-west-2.amazonaws.com` resulted in a `400 Bad Request` response: {"__type":"com.amazon.coral.service#SubscriptionRequiredException","message":"The AWS Access Key Id needs a subscription (truncated...) SubscriptionRequiredException (client): The AWS Access Key Id needs a subscription for the service - {"__type":"com.amazon.coral.service#SubscriptionRequiredException","message":"The AWS Access Key Id needs a subscription for the service"}
UI error:
The AWS Access Key Id needs a subscription for the service (Service: AmazonDynamoDBv2; Status Code: 400; Error Code: SubscriptionRequiredException; Request ID: ...
After some research, I believe the "The AWS Access Key Id needs a subscription for the service" error is caused by old accounts created when you had to opt in to each individual service.
See this forum post, forums.aws.amazon.com/message.jspa?messageID=609804, for more info.
After creating a completely new AWS account I haven't received the error once, still waiting to see if it can be resolved in my older account.
We use mon-get-instance-stats.pl to send custom metrics (RAM and Disk usage) to Cloudwatch.
I set this up following the AWS documentation. We use instance roles to give the instances the right to call CloudWatch, we do not use access keys.
This works like a charm for our Ireland (eu-west-1) instances but fails for our Frankfurt (eu-central-1) instances, where I get this error message:
$ /home/ec2-user/aws-scripts-mon/mon-put-instance-data.pl --mem-util --mem-used --mem-avail --swap-util --swap-used --disk-path=/ --disk-space-util --disk-space-used --disk-space-avail --aws-iam-role=instancerole
ERROR: Failed to call CloudWatch: HTTP 403. Message: The security token included in the request is invalid
For more information, run 'mon-put-instance-data.pl --help'
Note that the role instancerole is correctly configured on EC2 instances on both Ireland and Frankfurst.
What can I do to fix this?
Turns out, because Frankfurt is a new region, is does not support the old version of Cloudwatch scripts. I was running version 1.1.0, updating to 1.2.1 fixed the issue.
I am wanting to access S3 from a Spring Boot application using Spring Cloud AWS. My access to S3 works fine from my desktop, but when I bundle the app up as a WAR file and deploy to an EC2 Tomcat container, I get an 403 exception:
Caused by: com.amazonaws.services.s3.model.AmazonS3Exception: Forbidden (Service: Amazon S3; Status Code: 403; Error Code: 403 Forbidden; Request ID: 4F0EBE3A853C6D99)
at com.amazonaws.http.AmazonHttpClient.handleErrorResponse(AmazonHttpClient.java:1078) ~[aws-java-sdk-core-1.9.27.jar:na]
at com.amazonaws.http.AmazonHttpClient.executeOneRequest(AmazonHttpClient.java:726) ~[aws-java-sdk-core-1.9.27.jar:na]
at com.amazonaws.http.AmazonHttpClient.executeHelper(AmazonHttpClient.java:461) ~[aws-java-sdk-core-1.9.27.jar:na]
at com.amazonaws.http.AmazonHttpClient.execute(AmazonHttpClient.java:296) ~[aws-java-sdk-core-1.9.27.jar:na]
at com.amazonaws.services.s3.AmazonS3Client.invoke(AmazonS3Client.java:3737) ~[aws-java-sdk-s3-1.9.27.jar:na]
at com.amazonaws.services.s3.AmazonS3Client.getObjectMetadata(AmazonS3Client.java:1028) ~[aws-java-sdk-s3-1.9.27.jar:na]
at org.springframework.cloud.aws.core.io.s3.SimpleStorageResource.getObjectMetadata(SimpleStorageResource.java:182) ~[spring-cloud-aws-core-1.0.2.RELEASE.jar:1.0.2.RELEASE]
at org.springframework.cloud.aws.core.io.s3.SimpleStorageResource.exists(SimpleStorageResource.java:112) ~[spring-cloud-aws-core-1.0.2.RELEASE.jar:1.0.2.RELEASE]
I have an application.yml where I define access to AWS:
cloud:
aws:
region:
static: eu-west-1
auto: false
credentials:
accessKey: myaccesskey
secretKey: somereallylongkeyhere
instanceProfile: true
This works fine from my desktop. What see do I need to do to make this work? I have tried turning on every permission I can see within S3 but I can't seem to get around this.
I had a similar problem where the culprit was an outdated system clock. EC2 instances can sometimes drift and IAM API is very sensitive to it. Relevant information can be found here: https://github.com/boto/boto/issues/2885.