We Keep Coding

Assume AWS role using STS in Kubernetes cluster

I have a service that is deployed using Kubernetes and Docker.
To call Amazon service (SP-API) we have created a role (SellerRole) as per this document. https://developer-docs.amazon.com/sp-api/docs/creating-and-configuring-iam-policies-and-entities
We have one user who has this role assigned. Now, using the user if we do assume the above role (SellerRole) it gives us the temporary credentials and works fine.
Since the service is deployed using K8 I am trying to use the IRSA and role to do the same thing.
I have created an IRSA and given the K8 cluster a role (PODRole). The PODRole has access to assume SellerRole. Also, the pods have a token file that confirms that the pods are configured correctly.
Now the issue is when I ssh into POD and do
aws sts assume-role --role-name SellerRole --session-name piyush-session
it works correctly and gives back the temp credentials.
Hoowever when I try to do the same from code it gives an error. Below is the code.
StsClient.builder()
.region(region)
.credentialsProvider(WebIdentityTokenFileCredentialsProvider.create())
.build();
AssumeRoleRequest roleRequest =
AssumeRoleRequest.builder()
.roleArn("SellerRole")
.roleSessionName("SessionName")
.build();
AssumeRoleResponse roleResponse = stsClient.assumeRole(roleRequest);
Credentials credentials = roleResponse.credentials();
Below is the error.
Unable to assume role. Exception: software.amazon.awssdk.services.sts.model.StsException: User: arn:aws:sts::id:assumed-role/eks-qa01-PODRole/aws-sdk-java-1661372423393 is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::12345678999:role/eks-qa01-PODRole (Service: Sts, Status Code: 403, Request ID: b6a8f294-52d8-450f-9698)

Error: checking AWS STS access – cannot get role ARN for current session: MissingEndpoint: 'Endpoint' configuration is required for this service

I created a cluster.yaml file which contains the below information:
---
apiVersion: eksctl.io/v1alpha5
kind: ClusterConfig
metadata:
name: eks-litmus-demo
region: ${AWS_REGION}
version: "1.21"
managedNodeGroups:
- instanceType: m5.large
amiFamily: AmazonLinux2
name: eks-litmus-demo-ng
desiredCapacity: 2
minSize: 2
maxSize: 4
EOF
When i run $ eksctl create cluster -f cluster.yaml to create the cluster through my terminal, I get the below error:
Error: checking AWS STS access – cannot get role ARN for current session: MissingEndpoint: 'Endpoint' configuration is required for this service
How can I resolve this? Please help!!!
Note: I have the global and regional endpoints under STS set to "valid in all AWS regions".

In my case, it was a typo in the region. I had us-east1 as the value. When it is corrected to us-east-1, the error disappeared. So it is worth checking if there are typos in any of the fields.

mention --profile if you use any aws profile other than default
eksctl create cluster -f cluster.yaml --profile <profile-name>

My SSO session token had expired:
aws sts get-caller-identity --profile default
The SSO session associated with this profile has expired or is otherwise invalid. To refresh this SSO session run aws sso login with the corresponding profile.
Then I needed to refresh my SSO session token:
aws sso login
Attempting to automatically open the SSO authorization page in your default browser.
If the browser does not open or you wish to use a different device to authorize this request, open the following URL:
https://device.sso.us-east-2.amazonaws.com/
Then enter the code:
XXXX-XXXX
Successfully logged into Start URL: https://XXXX.awsapps.com/start

Error: checking AWS STS access – cannot get role ARN for current session:
According to this, I think its not able to get the role (in your case, cluster creator's role) which is responsible to create the cluster.
Create an IAM user with appropriate role. Attach necessary policies to that role to create the EKS cluster.
Then you can use aws configure command to add the AWS Access Key ID, AWS Secret Access Key, and Default region name.
[Make sure that the user has the appropriate access to create and access the eks cluster in your aws account. You can use aws cli to verify if you have the appropriate access]

It is important to configure the default profile for AWS CLI correctly on the command line using
set AWS_ACCESS_KEY_ID <your_access_key>
set AWS_SECRET_ACCESS_KEY <your_secret_key>

Terraform, AWS and STS The security token included in the request is invalid

I'm trying to use terraform to initiate connections with AWS to create infra.
If I run up aws configure sso, i can log in default to eu-west-2 and move around the estate
I then use terraform apply, with the aws part as follows:
provider "aws" {
region = "eu-west-2"
shared_credentials_file = "~/.aws/credentials"
profile = "450694575897_ProdPS-SuperUsers"
}
Terraform reports: Error: error using credentials to get account ID: error calling sts:GetCallerIdentity: InvalidClientTokenId: The security token included in the request is invalid.
│ status code: 403, request id: 5b8be53d-253d-4c48-8568-ad78be14115f
The following vars are set:
AWS_ACCESS_KEY_ID
AWS_SECRET_ACCESS_KEY
If I run
aws sts get-session-token --region=us-west-2
I get
An error occurred (InvalidClientTokenId) when calling the GetSessionToken operation: The security token included in the request is invalid.

I was having the same problem when i tried to deploy through terraform cloud.
You might be using an old key that is either deleted or inactive, to be sure:
1- Try to go to the security credentials on your account page: Click on your name in the top right corner -> My security credentials.
2- Check if the key you set in your credentials is deleted or still exists.
2.2- if it's deleted create a new key and use it.
3- If your key is still there, check if it is active.

I solved the issue doing the following:
$: aws configure
enter the access key:
enter the secret key:
select default region:
select default format[none/json]:
In your main.tf file add the profile shown as below
provider "aws" {
region = "eu-west-2"
profile="xxxuuzzz"
}

AWS copilot on Cloud9 InvalidClientTokenId: The security token included in the request is invalid (status code: 403)

On Execution of command below from AWS Cloud9
copilot app delete
Getting message as :
execute svc delete: delete service: delete stack demoappone-test-lbdemoappone: InvalidClientTokenId: The security token included in the request is invalid
status code: 403, request id: 5001e2d0-3bbc-4821-911c-27713af4f2f9
AWS Cloud9 points to document https://docs.aws.amazon.com/cloud9/latest/user-guide/welcome.html .
Do we know how to solve above 403 error?

This appears to be because Cloud9 has a limited set of allowed actions that're supported for AWS managed temporary credentials. (For the troubleshooting guide: link)
The way that the ECS workshop gets around it is by creating and storing access credentials in the environment: sample solution. (For the Cloud9 guide: link)

Failed to edit persistent store "s3" - with spinnaker storage with s3 configuration

I am trying to configure the spinnaker with hal from the source (https://www.spinnaker.io/guides/tutorials/codelabs/hello-deployment/).
While configuring the storage with s3 in aws I am facing the below error.
Someone please guide me to resolve this issue.
hal config storage s3 edit --access-key-id xxxx --secret-access-key --region us-west-2
Problems in default.persistentStorage.s3:
! ERROR Failed to ensure the required bucket
"spin-1889a6d7-dd17-4896-9ef9-e07cc2ab5b2a" exists: Forbidden
(Service: Amazon S3; Status Code: 403; Error Code: 403 Forbidden;
Request ID: xxxx; S3 Extended Request ID: xxx
Failed to edit persistent store "s3".

You should have proper(read,write) permission to s3.
Check your permission on IAM console.
Make sure you have read,write access to s3.
More on IAM policies: https://aws.amazon.com/blogs/security/writing-iam-policies-how-to-grant-access-to-an-amazon-s3-bucket/