I'm going mad over a fluent bit DaemonSet installed via Helm in EKS on Account AWS yyyyyyy unable to send data to Kinesis in AWS account xxxxxxxxxx.
It looks like EKS does not have OIDC provider on IAM but it's false! Can you help?
fluent bit logs:
[2022/06/29 15:22:34] [debug] [output:kinesis_firehose:kinesis_firehose.0] firehose:PutRecordBatch: events=157, payload=71245 bytes
[2022/06/29 15:22:34] [debug] [output:kinesis_firehose:kinesis_firehose.0] Sending log records to delivery stream kinesis_backend
[2022/06/29 15:22:34] [debug] [http_client] not using http_proxy for header
[2022/06/29 15:22:34] [debug] [aws_credentials] Requesting credentials from the EC2 provider..
[2022/06/29 15:22:34] [debug] [input:tail:tail.0] inode=19100461 events: IN_MODIFY
[2022/06/29 15:22:34] [debug] [input chunk] update output instances with new chunk size diff=693
[2022/06/29 15:22:34] [debug] [input:tail:tail.0] inode=19100461 events: IN_MODIFY
[2022/06/29 15:22:34] [debug] [http_client] server firehose.eu-west-1.amazonaws.com:443 will close connection #74
[2022/06/29 15:22:34] [debug] [aws_client] firehose.eu-west-1.amazonaws.com: http_do=0, HTTP Status: 400
[2022/06/29 15:22:34] [error] [aws_client] auth error, refreshing creds
[2022/06/29 15:22:34] [debug] [aws_credentials] Refresh called on the env provider
[2022/06/29 15:22:34] [debug] [aws_credentials] Refresh called on the profile provider
[2022/06/29 15:22:34] [debug] [aws_credentials] Reading shared config file.
[2022/06/29 15:22:34] [debug] [aws_credentials] Shared config file /root/.aws/config does not exist
[2022/06/29 15:22:34] [debug] [aws_credentials] Reading shared credentials file.
[2022/06/29 15:22:34] [error] [aws_credentials] Shared credentials file /root/.aws/credentials does not exist
[2022/06/29 15:22:34] [debug] [aws_credentials] Refresh called on the EKS provider
[2022/06/29 15:22:34] [debug] [aws_credentials] Calling STS..
[2022/06/29 15:22:34] [debug] [http_client] not using http_proxy for header
[2022/06/29 15:22:34] [debug] [http_client] server sts.eu-west-1.amazonaws.com:443 will close connection #74
[2022/06/29 15:22:34] [debug] [aws_client] sts.eu-west-1.amazonaws.com: http_do=0, HTTP Status: 400
[2022/06/29 15:22:34] [debug] [aws_client] Unable to parse API response- response is not valid JSON.
[2022/06/29 15:22:34] [debug] [aws_credentials] STS raw response:
<ErrorResponse xmlns="https://sts.amazonaws.com/doc/2011-06-15/">
<Error>
<Type>Sender</Type>
<Code>InvalidIdentityToken</Code>
<Message>No OpenIDConnect provider found in your account for https://oidc.eks.eu-west-1.amazonaws.com/id/AAAAAAAAAAAAAAAAAA</Message>
</Error>
<RequestId>c517249d-c018-43c3-a712-d0e5080ded86</RequestId>
</ErrorResponse>
fluent-bit service account in namespace newrelic (created by fluentbit Helm chart)
kubectl -n newrelic describe sa fluent-bit
Name: fluent-bit
Namespace: newrelic
Labels: app.kubernetes.io/instance=fluent-bit
app.kubernetes.io/managed-by=Helm
app.kubernetes.io/name=fluent-bit
app.kubernetes.io/version=1.9.4
helm.sh/chart=fluent-bit-0.20.2
Annotations: eks.amazonaws.com/role-arn: arn:aws:iam::xxxxxxxxxx:role/kinesis-write
meta.helm.sh/release-name: fluent-bit
meta.helm.sh/release-namespace: newrelic
Policy permissions attached to role arn:aws:iam::xxxxxxxxxx:role/kinesis-write
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"firehose:PutRecord",
"firehose:PutRecordBatch"
],
"Resource": "arn:aws:firehose:region:xxxxxxxxxx:deliverystream/kinesis-backend"
}
]
}
Role arn:aws:iam::xxxxxxxxxx:role/kinesis-write trusted relationships (I included OIDC Provider for my EKS cluster on account yyyyyyyyyy)
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Federated": "arn:aws:iam::yyyyyyyyy:oidc-provider/oidc.eks.eu-west-1.amazonaws.com/id/AAAAAAAAAAAAAAAAAA"
},
"Action": [
"sts:AssumeRole",
"sts:AssumeRoleWithWebIdentity"
],
"Condition": {
"StringEquals": {
"oidc.eks.eu-west-1.amazonaws.com/id/AAAAAAAAAAAAAAAAAA:sub": "system:serviceaccount:newrelic:fluent-bit"
}
}
}
]
}
I have configured SAML for my AWS Opensearch Service Dashboard and keep getting 'Internal Server Error' after succesfully logging in to Okta and getting redirected to the sso endpoint (https://*****.eu-west-1.es.amazonaws.com/_dashboards/_opendistro/_security/saml/acs). I am using the service provider initiated login flow.
The SAML request looks like:
Host: *****
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:93.0) Gecko/20100101 Firefox/93.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: nl,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate, br
Referer: https://***.okta.com/
Content-Type: application/x-www-form-urlencoded
Content-Length: 10427
Origin: https://***.okta.com
Connection: keep-alive
Cookie: security_authentication=Fe26.2**a179694d11de140222bccdb1b628732ad44371158089d49e851960cdfa74e711*rMo5VnNKA2FukJOaGT4zlw*9I-VJlFm20BlqKCAu7Sg9IUqtnLkPjVb-SBBMrEoSr9qX8NU24K6d7hiK6Q4ONPYo0cUbiGy25qudhs2DfYFrkRYTA1a0zf8fHRdxuQ6FNYXrkqWZ1s__kZVo-sAcwhcA6PbAXjFK3J-Mjy3-2N-VA**f25a0b1ddd9d36f949193a49ea74d88ff8fdb29fc2c0fc6d23102748a645a239*hL7oHPYT2TRQlaFw81ptxtKSFmXhzmcPkFkpF4U0j9U; STATE-TOKEN=fed6e87a-a743-4b36-a0e9-b62a579635a5
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: cross-site
HTTP/2.0 500 Internal Server Error
date: Mon, 18 Oct 2021 10:06:18 GMT
content-type: application/json; charset=utf-8
content-length: 77
x-amzn-requestid: 7c0a8527-c780-4bc9-b55a-4b8e0e468923
cache-control: private, no-cache, no-store, must-revalidate
osd-name: ip-10-212-37-230.eu-west-1.compute.internal
X-Firefox-Spdy: h2
<saml2p:Response Destination="****/_dashboards/_opendistro/_security/saml/acs"
ID="id12441206744048667167559313"
InResponseTo="ONELOGIN_e54a9652-c4b3-46b1-a9af-192b7892982e"
IssueInstant="2021-10-18T10:15:48.540Z"
Version="2.0"
xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"
xmlns:xs="http://www.w3.org/2001/XMLSchema"
>
<saml2:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity"
xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
>http://www.okta.com/exk4crh6pK2EwG3xz696</saml2:Issuer>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
<ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" />
<ds:Reference URI="#id12441206744048667167559313">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
<ec:InclusiveNamespaces PrefixList="xs"
xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"
/>
</ds:Transform>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />
<ds:DigestValue>wb2AqxWez2/KbOC81HYKxMoHDgxku2lXWXqrURo0k7k=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>fSB69UWpOukV0hfX7gtoOd5lRU9Z7wKjWiYEfiAXi9eNLJGdzWA35eR5kxL/aSWp3r6TPj0ArcfgVOXgSKQfERWLsNaHuGFd2/vfEPsvb49NruitDgEmCVB+YMxTHZ3DujPlgf2/ADFI5hKV5nJfNkfFaJP/Y6cgnimDlBsXaV+E3wOrs2tfph5WbDYXIjKRlHb24cDJh7SRKK7WEmJR6HRPzlwCOkXGnc/UN1yqFHze+EMw+6buxPq04IoVA2waxNtsKwmm/LBSh5Up+UJdpvZ1ULF3GrTAbSiIbfxHHEQQWXTkwWJufdO+p24SOjcdgyMHqhtPO9Hs5Xa3lSISjg==</ds:SignatureValue>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>MIIDljCCAn6gAwIBAgIGAXyPqbX/MA0GCSqGSIb3DQEBCwUAMIGLMQswCQYDVQQGEwJVUzETMBEG
A1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzENMAsGA1UECgwET2t0YTEU
MBIGA1UECwwLU1NPUHJvdmlkZXIxDDAKBgNVBAMMA3Z1YjEcMBoGCSqGSIb3DQEJARYNaW5mb0Bv
a3RhLmNvbTAeFw0yMTEwMTcxOTA5MzZaFw0zMTEwMTcxOTEwMzZaMIGLMQswCQYDVQQGEwJVUzET
MBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzENMAsGA1UECgwET2t0
YTEUMBIGA1UECwwLU1NPUHJvdmlkZXIxDDAKBgNVBAMMA3Z1YjEcMBoGCSqGSIb3DQEJARYNaW5m
b0Bva3RhLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJIbVHXi6RpEpOpM3JIj
0kZV4zw54qUVXNPbS8epUGAekHvpDqoCKGbWTG8vUBhLFQehhrBSzopLsVY2jzJIa+FKqviKWchv
5772IsVIn8/KAcTnW2lS8zs86mWbklL39/chIXT19m338E9goN0BhJEW0Hh1JmGzss4juE+WBhu0
7NTVVa2xSE5ELe1dyzwQrfbtn2HEBXe3PRnX1n7Mp8LGdUb3YQGQSzy90vc0D0rx24cCtnkaxWHn
c9vKj6U7unf1c+mJyihXVgGcRl89tc0CqYX41+TgH+Z6ygqNq+EKvx+94+4BvjHnDJMCLzKUAcS3
yiyyzTIra0Hj07hCux8CAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAhYATs51fcjglJZcob4nwFRvt
X8WWOxB3jyBweGgYdKKbkJuC8mmtINCaEMkCyPQNqxdEK0xRKqDZOD4Ay9s+1TKKn9L8FTCBIw9H
sYPBpjPLaU1+9Z1B47qHSXw/wgmSbVOCmr6ryLvj+rmaVEZRu38BS4E8EFUT1Bl8vGsKG2vbeT4j
1KUTNNh0v4N3Fe763EGvj0lbOLTWfTWu4/4cRcB5oZs6ybaZAfQ9DejYumFxf1dADxPqjjWEi4ay
gZZpQHNdRWd0mdBjFwnf9alxi7Kx69qqu6PRvQK0BZSI8teX+XnsihoV9D+QJPaTlXzjCqIUCRZD
hNwmmISRthgHsw==</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</ds:Signature>
<saml2p:Status xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol">
<saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" />
</saml2p:Status>
<saml2:Assertion ID="id124412067441340881963049510"
IssueInstant="2021-10-18T10:15:48.540Z"
Version="2.0"
xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
xmlns:xs="http://www.w3.org/2001/XMLSchema"
>
<saml2:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity"
xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
>http://www.okta.com/exk4crh6pK2EwG3xz696</saml2:Issuer>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
<ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" />
<ds:Reference URI="#id124412067441340881963049510">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
<ec:InclusiveNamespaces PrefixList="xs"
xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"
/>
</ds:Transform>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />
<ds:DigestValue>3XV/aXHpIRIXjJob312hhWsHbdoo5cqXCgoVM6MakEA=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>TgN3QlXBHPumS7wrixp6R7oX30kyWWeT+dfu/raqBsqBOGb/iyvliPl3FX8AWkTRBjWou4Kbwfo6ashoUq0WvYNWwYZiEPwJVao8WPSzyHWLL8B0NCOoa68sQojWkVsTqGUQPDHqDq08Kxm0GZEudQuOf9SYwE4d+znmoUaBOorgZbFojbPD2AqnunAR9e9VCQYOsinoURVxrGqjIUnxwDpxvBcDl+i5CVcTCYmrG3VbPiLNaAdUXYAyyie4z3wa19reLk+O9NJ0EgqNxOnhEKc2SyJ7YxgA+UWTDjPIkqcww8AJl/LAmx6WY+KRu7nrlcwA4UWoNRuqgUaw2JoB7Q==</ds:SignatureValue>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>MIIDljCCAn6gAwIBAgIGAXyPqbX/MA0GCSqGSIb3DQEBCwUAMIGLMQswCQYDVQQGEwJVUzETMBEG
A1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzENMAsGA1UECgwET2t0YTEU
MBIGA1UECwwLU1NPUHJvdmlkZXIxDDAKBgNVBAMMA3Z1YjEcMBoGCSqGSIb3DQEJARYNaW5mb0Bv
a3RhLmNvbTAeFw0yMTEwMTcxOTA5MzZaFw0zMTEwMTcxOTEwMzZaMIGLMQswCQYDVQQGEwJVUzET
MBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzENMAsGA1UECgwET2t0
YTEUMBIGA1UECwwLU1NPUHJvdmlkZXIxDDAKBgNVBAMMA3Z1YjEcMBoGCSqGSIb3DQEJARYNaW5m
b0Bva3RhLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJIbVHXi6RpEpOpM3JIj
0kZV4zw54qUVXNPbS8epUGAekHvpDqoCKGbWTG8vUBhLFQehhrBSzopLsVY2jzJIa+FKqviKWchv
5772IsVIn8/KAcTnW2lS8zs86mWbklL39/chIXT19m338E9goN0BhJEW0Hh1JmGzss4juE+WBhu0
7NTVVa2xSE5ELe1dyzwQrfbtn2HEBXe3PRnX1n7Mp8LGdUb3YQGQSzy90vc0D0rx24cCtnkaxWHn
c9vKj6U7unf1c+mJyihXVgGcRl89tc0CqYX41+TgH+Z6ygqNq+EKvx+94+4BvjHnDJMCLzKUAcS3
yiyyzTIra0Hj07hCux8CAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAhYATs51fcjglJZcob4nwFRvt
X8WWOxB3jyBweGgYdKKbkJuC8mmtINCaEMkCyPQNqxdEK0xRKqDZOD4Ay9s+1TKKn9L8FTCBIw9H
sYPBpjPLaU1+9Z1B47qHSXw/wgmSbVOCmr6ryLvj+rmaVEZRu38BS4E8EFUT1Bl8vGsKG2vbeT4j
1KUTNNh0v4N3Fe763EGvj0lbOLTWfTWu4/4cRcB5oZs6ybaZAfQ9DejYumFxf1dADxPqjjWEi4ay
gZZpQHNdRWd0mdBjFwnf9alxi7Kx69qqu6PRvQK0BZSI8teX+XnsihoV9D+QJPaTlXzjCqIUCRZD
hNwmmISRthgHsw==</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</ds:Signature>
<saml2:Subject xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">
<saml2:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">jeroenvanpelt#hotmail.com</saml2:NameID>
<saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<saml2:SubjectConfirmationData InResponseTo="ONELOGIN_e54a9652-c4b3-46b1-a9af-192b7892982e"
NotOnOrAfter="2021-10-18T10:20:48.540Z"
Recipient="****/_dashboards/_opendistro/_security/saml/acs"
/>
</saml2:SubjectConfirmation>
</saml2:Subject>
<saml2:Conditions NotBefore="2021-10-18T10:10:48.540Z"
NotOnOrAfter="2021-10-18T10:20:48.540Z"
xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
>
<saml2:AudienceRestriction>
<saml2:Audience>opensearch-saml</saml2:Audience>
</saml2:AudienceRestriction>
</saml2:Conditions>
<saml2:AuthnStatement AuthnInstant="2021-10-18T10:15:47.768Z"
SessionIndex="ONELOGIN_e54a9652-c4b3-46b1-a9af-192b7892982e"
xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
>
<saml2:AuthnContext>
<saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml2:AuthnContextClassRef>
</saml2:AuthnContext>
</saml2:AuthnStatement>
<saml2:AttributeStatement xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">
<saml2:Attribute Name="roles"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified"
>
<saml2:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:type="xs:string"
>all_access</saml2:AttributeValue>
</saml2:Attribute>
</saml2:AttributeStatement>
</saml2:Assertion>
</saml2p:Response>
The error response in the browser is: {"statusCode":500,"error":"Internal Server Error","message":"Internal Error"}.
In the error logs (Cloudwatch), I have found the following messages:
[2021-10-18T01:45:40,286][WARN ][c.a.d.a.h.s.AuthTokenProcessorHandler] [ba6ca9920d4df640d8973f488f4c11c3] Error while validating SAML response in __PATH__
[2021-10-18T00:52:39,445][WARN ][r.suppressed ] [ba6ca9920d4df640d8973f488f4c11c3] path: __PATH__ params: {settings_filter=plugins.security.ssl.transport.pemkey_filepath,plugins.security.cert.oid,plugins.security.enable_snapshot_restore_privilege,plugins.security.audit.config.pemtrustedcas_filepath,reindex.ssl.supported_protocols,opendistro_security.compliance.history.external_config_enabled,plugins.security.ssl.transport.truststore_password,plugins.security.ssl.transport.keystore_alias,plugins.security.ssl.transport.keystore_type,plugins.security.check_snapshot_restore_write_privileges,plugins.security.advanced_modules_enabled,reindex.ssl.truststore.password,opendistro_security.*,plugins.security.ssl.transport.truststore_alias,plugins.security.unsupported.accept_invalid_config,plugins.security.audit.config.webhook.format,plugins.security.audit.config.webhook.ssl.pemtrustedcas_filepath,plugins.security.audit.config.pemkey_password,plugins.security.background_init_if_securityindex_not_exist,plugins.security.ssl.transport.enabled,plugins.security.audit.config.webhook.ssl.verify,plugins.security.ssl.transport.keystore_keypassword,plugins.security.protected_indices.roles,plugins.security.audit.config.index,plugins.security.ssl.http.keystore_alias,plugins.security.audit.config.webhook.url,plugins.security.allow_unsafe_democertificates,plugins.security.unsupported.restapi.allow_securityconfig_modification,plugins.security.allow_default_init_securityindex,plugins.security.ssl.http.truststore_type,plugins.security.ssl.transport.keystore_password,plugins.security.audit.config.log4j.logger_name,reindex.ssl.keystore.key_password,reindex.ssl.truststore.type,plugins.security.ssl.http.keystore_filepath,plugins.security.kerberos.krb5_filepath,plugins.security.ssl.transport.keystore_filepath,plugins.security.ssl.client.external_context_id,plugins.security.ssl.transport.pemcert_filepath,plugins.security.unsupported.inject_user.enabled,plugins.security.ssl.http.pemkey_password,opendistro_security.audit.enable_rest,reindex.ssl.key_passphrase,opendistro_security.audit.resolve_bulk_requests,plugins.security.restapi.password_validation_regex,plugins.security.unsupported.allow_now_in_dls,plugins.security.audit.config.type,plugins.security.ssl.transport.truststore_type,plugins.security.audit.threadpool.max_queue_len,plugins.security.audit.config.pemcert_filepath,plugins.security.audit.config.password,plugins.security.ssl.transport.enforce_hostname_verification,plugins.security.unsupported.restore.securityindex.enabled,plugins.security.*,plugins.security.config_index_name,plugins.security.audit.config.pemtrustedcas_content,plugins.security.ssl.transport.pemtrustedcas_filepath,reindex.ssl.truststore.path,plugins.security.ssl.http.pemcert_filepath,reindex.ssl.keystore.password,reindex.ssl.certificate_authorities,plugins.security.compliance.disable_anonymous_authentication,opendistro_security.audit.resolve_indices,plugins.security.audit.config.pemcert_content,plugins.security.ssl.http.truststore_password,plugins.security.ssl.http.crl.prefer_crlfile_over_ocsp,plugins.security.audit.config.pemkey_filepath,opendistro_security.compliance.history.read.metadata_only,opendistro_security.compliance.history.write.log_diffs,plugins.security.ssl.transport.extended_key_usage_enabled,plugins.security.unsupported.load_static_resources,plugins.security.compliance.salt,plugins.security.filter_securityindex_from_all_requests,reindex.ssl.certificate,plugins.security.ssl.http.crl.validate,reindex.ssl.verification_mode,opendistro_security.audit.enable_transport,plugins.security.ssl.http.crl.validation_date,plugins.security.audit.config.enable_ssl_client_auth,plugins.security.ssl.http.pemtrustedcas_filepath,plugins.security.ssl.http.keystore_keypassword,plugins.security.ssl_only,opendistro_security.compliance.history.write.metadata_only,opendistro_security.audit.log_request_body,plugins.security.unsupported.inject_user.admin.enabled,plugins.security.audit.config.webhook.ssl.pemtrustedcas_content,plugins.security.ssl.http.pemkey_filepath,plugins.security.ssl_cert_reload_enabled,plugins.security.audit.config.username,plugins.security.ssl.http.crl.disable_crldp,plugins.security.audit.threadpool.size,plugins.security.roles_mapping_resolution,plugins.security.audit.config.pemkey_content,reindex.ssl.keystore.path,plugins.security.ssl.http.enabled,plugins.security.kerberos.acceptor_keytab_filepath,plugins.security.system_indices.enabled,plugins.security.audit.config.cert_alias,reindex.ssl.client_authentication,reindex.ssl.keystore.type,plugins.security.audit.config.log4j.level,plugins.security.ssl.transport.truststore_filepath,plugins.security.audit.type,plugins.security.disabled,reindex.ssl.cipher_suites,plugins.security.disable_envvar_replacement,plugins.security.restapi.password_validation_error_message,plugins.security.ssl.http.crl.check_only_end_entities,opendistro_security.compliance.history.internal_config_enabled,opendistro_security.audit.exclude_sensitive_headers,secret_key,plugins.security.ssl.http.enable_openssl_if_available,plugins.security.ssl.http.clientauth_mode,plugins.security.protected_indices.enabled,plugins.security.unsupported.disable_rest_auth_initially,reindex.ssl.key,plugins.security.ssl.http.crl.file_path,plugins.security.audit.config.enable_ssl,plugins.security.kerberos.acceptor_principal,plugins.security.cert.intercluster_request_evaluator_class,reindex.ssl.keystore.algorithm,plugins.security.audit.config.verify_hostnames,plugins.security.ssl.http.keystore_type,plugins.security.ssl.http.truststore_filepath,plugins.security.cache.ttl_minutes,plugins.security.ssl.transport.pemkey_password,plugins.security.system_indices.indices,plugins.security.ssl.transport.enable_openssl_if_available,access_key,plugins.security.ssl.http.keystore_password,plugins.security.ssl.http.crl.disable_ocsp,plugins.security.ssl.http.truststore_alias,plugins.security.ssl.transport.principal_extractor_class,plugins.security.protected_indices.indices,plugins.security.ssl.transport.resolve_hostname,plugins.security.unsupported.disable_intertransport_auth_initially, filter_path=nodes.*.attributes.di_number}
OpenSearchSecurityException[OpenSearch Security not initialized for __PATH__]
at org.opensearch.security.filter.SecurityFilter.apply0(SecurityFilter.java:296)
at org.opensearch.security.filter.SecurityFilter.apply(SecurityFilter.java:154)
at org.opensearch.action.support.TransportAction$RequestFilterChain.proceed(TransportAction.java:191)
at org.opensearch.action.support.TransportAction.execute(TransportAction.java:169)
at org.opensearch.action.support.TransportAction.execute(TransportAction.java:97)
at org.opensearch.client.node.NodeClient.executeLocally(NodeClient.java:99)
at org.opensearch.client.node.NodeClient.doExecute(NodeClient.java:88)
at org.opensearch.client.support.AbstractClient.execute(AbstractClient.java:428)
at org.opensearch.client.support.AbstractClient$ClusterAdmin.execute(AbstractClient.java:717)
at org.opensearch.client.support.AbstractClient$ClusterAdmin.state(AbstractClient.java:747)
at org.opensearch.rest.action.admin.cluster.RestClusterStateAction.lambda$prepareRequest$0(RestClusterStateAction.java:125)
at org.opensearch.rest.BaseRestHandler.handleRequest(BaseRestHandler.java:128)
at org.opensearch.security.filter.SecurityRestFilter$1.handleRequest(SecurityRestFilter.java:128)
at org.opensearch.rest.RestController.dispatchRequest(RestController.java:271)
at org.opensearch.rest.RestController.tryAllHandlers(RestController.java:353)
at org.opensearch.rest.RestController.dispatchRequest(RestController.java:204)
__AMAZON_INTERNAL__
__AMAZON_INTERNAL__
__AMAZON_INTERNAL__
__AMAZON_INTERNAL__
__AMAZON_INTERNAL__
__AMAZON_INTERNAL__
__AMAZON_INTERNAL__
__AMAZON_INTERNAL__
at org.eclipse.jetty.server.handler.GzipHandler.handle(GzipHandler.java:301)
__AMAZON_INTERNAL__
at org.eclipse.jetty.server.handler.HandlerList.handle(HandlerList.java:52)
__AMAZON_INTERNAL__
at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:116)
at org.eclipse.jetty.server.Server.handle(Server.java:370)
at org.eclipse.jetty.server.AbstractHttpConnection.handleRequest(AbstractHttpConnection.java:489)
at org.eclipse.jetty.server.AbstractHttpConnection.headerComplete(AbstractHttpConnection.java:949)
at org.eclipse.jetty.server.AbstractHttpConnection$RequestHandler.headerComplete(AbstractHttpConnection.java:1011)
at org.eclipse.jetty.http.HttpParser.parseNext(HttpParser.java:644)
at org.eclipse.jetty.http.HttpParser.parseAvailable(HttpParser.java:235)
at org.eclipse.jetty.server.AsyncHttpConnection.handle(AsyncHttpConnection.java:82)
at org.eclipse.jetty.io.nio.SelectChannelEndPoint.handle(SelectChannelEndPoint.java:668)
at org.eclipse.jetty.io.nio.SelectChannelEndPoint$1.run(SelectChannelEndPoint.java:52)
at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:608)
at org.eclipse.jetty.util.thread.QueuedThreadPool$3.run(QueuedThreadPool.java:543)
at __PATH__(Thread.java:834)
I started a new Opensearch cluster after users started to complain they could no longer log in to an older ES Cluster that was recently updated to Opensearch. Instead of SAML authentication, it was using Cognito authentication. As it was working before, and I followed the instructions (https://docs.aws.amazon.com/opensearch-service/latest/developerguide/saml.html) carefully again for both Cognito authentication and SAML authentication, it feels like something is wrong with Opensearch itself.
Check the SAML URLs configured in your IdP Broker as they changed from ES 7.x to OpenSearch 1.x. Also, try switching between using either the IdP or SP URL.
I've got exactly the same issue as you and I've managed to fix it by changing the SubjectKey to a custom SAML attribute:
I've added an attribute named email to my IdP configuration (Okta in your case, AWS SSO in my case).
Then I've set it up as the SubjectKey in AWS Opensearch. Here is my configuration for comparision:
SAML_METADATA=$(cat saml.xml | sed 's/"/\\\"/g' | sed ':a;N;$!ba;s/\n/\\n/g')
SAML_ENTITY_ID=$(grep entityID saml.xml | sed -r 's:.*entityID="(.*)".*:\1:')
aws opensearch update-domain-config \
--domain-name <name of the OpenSearch domain> \
--advanced-security-options '{"SAMLOptions":{"Enabled":true,"MasterUserName":"my-email#example.com", "Idp":{"EntityId":"'$SAML_ENTITY_ID'","MetadataContent":"'"$SAML_METADATA"'"}, "SessionTimeoutMinutes":180, "SubjectKey":"email"}}'
Here's what I did to solve the 500 internal server error with OpenSearch SSO login.
Note: Only if you are using AWS SSO
Log into AWS SSO console > Applications > Add New Application > search for OpenSearch (or select add custom SAML application)
Enter Display Name and Description and download AWS SSO SAML Metadata File
Go to the Application metadata section and add the Application ACS URL (Copy SSO URL (IdP initiated) from OpenSearch domain security configuration) > Save Changes
Go to Attribute mappings and add an attribute in the 1st column e.g email > value as ${user:email} > Save changes and Assignee required users.
Go to OpenSearch domain security configuration > upload the metadata file downloaded during step 2
Go to Additional Settings and add email (attribute name in step 4) to Subject key - optional
Go to your AWS SSO Start page you should see OpenSearch there.
Hope this helps
I would like to access AWS SQS with short lived credentials from an Apache Beam Pipleline.
In AWS IAM I have created a role with the following trust relationship:
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:sts::xxxxxx:assumed-role/gcp_role/gcp-project-session-name",
"Service": "sqs.amazonaws.com"
},
"Action": "sts:AssumeRole"
},
With this role I am able to access SQS from my local machine.
I used AWS BasicSessionCredentials as followed:
BasicSessionCredentials refreshedAWSCredentials = new BasicSessionCredentials(
refreshedCredentials.getAccessKeyId(),
refreshedCredentials.getSecretAccessKey(),
refreshedCredentials.getSessionToken());
AWSSecurityTokenService service = AWSSecurityTokenServiceClientBuilder.standard()
.withCredentials(new AWSStaticCredentialsProvider(refreshedAWSCredentials))
.withRegion(options.getAwsRegion()).build();
I add the credentials object to the pipeline options:
options.setAwsSessionToken(refreshedAWSCredentials.getSessionToken());
options.setAwsCredentialsProvider(new AWSStaticCredentialsProvider(refreshedAWSCredentials));
return Pipeline.create(options);
At the end I always run into the following error:
Caused by: org.apache.beam.sdk.util.UserCodeException: com.amazonaws.services.sqs.model.AmazonSQSException:
The security token included in the request is invalid. (Service: AmazonSQS; Status Code: 403; Error Code:
InvalidClientTokenId; Request ID: 501e9869-ea58-5e80-9ec1-c1exxxx; Proxy: null
I assume that the AWSStaticCredentialsProvider does not know about the AWS_SECRET_TOKEN.
That's why I setup a STSAssumeRoleSessionCredentialsProvider which should be work with temporary credentials
STSAssumeRoleSessionCredentialsProvider stsSessionProvider = new STSAssumeRoleSessionCredentialsProvider
.Builder(awsRoleArn, awsRoleSession)
.withStsClient(service)
.build();
This is the associated pipeline code
p.apply(SqsIO.read().withQueueUrl(options.getSourceQueueUrl())
.withMaxNumRecords(options.getNumberOfRecords()))
.apply(ParDo.of(new SqsMessageToJson()))
.apply(TextIO.write()
.to(options.getDestinationBucketUrl() + "/purchase_intent/")
.withSuffix(".json"));
Even if I used the above provider which worked locally as well, I got the sam exception shown above. So, I am wondering how to setup SqsIO with temp credentials.
we encounter a blocking error during the validation of a JWT token by the gateway.
We are testing an integration environment using two docker containers on two different virtual machines. The first vm contains the APIM 3.0.0 and the second contains the IS 5.9 as Key Manager. The IS is federated with Azure AD.
We obtain a well-formed JWT token by IS with user data from Azure, but the APIM couldn't find a public certificate to verify signature with the given alias. Both wso2 components have their own client-truststore.jks updated with re-created public certificate (we replaced localhost with the public IP of the vms).
Following some useful details:
This is the error in the log of the APIM container:
[2020-01-30 15:20:00,072] WARN - SourceHandler I/O error: Received fatal alert: certificate_unknown
[2020-01-30 15:20:00,404] ERROR - GatewayUtils Couldn't find a public certificate to verify signature with alias ZDgzMWM0MTU3NGI3ODkyYTVkN2Q2N2NmYzI5ZWU4ZjcxYTcyYzlkZA_RS256
[2020-01-30 15:20:00,405] ERROR - APIAuthenticationHandler API authentication failure due to Unclassified Authentication Failure
org.wso2.carbon.apimgt.gateway.handlers.security.APISecurityException: Unclassified Authentication Failure
at org.wso2.carbon.apimgt.gateway.handlers.security.APIAuthenticationHandler.isAuthenticate_aroundBody42(APIAuthenticationHandler.java:433) ~[org.wso2.carbon.apimgt.gateway_6.5.349.jar:?]
at org.wso2.carbon.apimgt.gateway.handlers.security.APIAuthenticationHandler.isAuthenticate(APIAuthenticationHandler.java:413) ~[org.wso2.carbon.apimgt.gateway_6.5.349.jar:?]
at org.wso2.carbon.apimgt.gateway.handlers.security.APIAuthenticationHandler.handleRequest_aroundBody36(APIAuthenticationHandler.java:349) [org.wso2.carbon.apimgt.gateway_6.5.349.jar:?]
at org.wso2.carbon.apimgt.gateway.handlers.security.APIAuthenticationHandler.handleRequest(APIAuthenticationHandler.java:320) [org.wso2.carbon.apimgt.gateway_6.5.349.jar:?]
at org.apache.synapse.rest.API.process(API.java:366) [synapse-core_2.1.7.wso2v131.jar:2.1.7-wso2v131]
at org.apache.synapse.rest.RESTRequestHandler.apiProcessNonDefaultStrategy(RESTRequestHandler.java:149) [synapse-core_2.1.7.wso2v131.jar:2.1.7-wso2v131]
at org.apache.synapse.rest.RESTRequestHandler.dispatchToAPI(RESTRequestHandler.java:95) [synapse-core_2.1.7.wso2v131.jar:2.1.7-wso2v131]
at org.apache.synapse.rest.RESTRequestHandler.process(RESTRequestHandler.java:71) [synapse-core_2.1.7.wso2v131.jar:2.1.7-wso2v131]
at org.apache.synapse.core.axis2.Axis2SynapseEnvironment.injectMessage(Axis2SynapseEnvironment.java:325) [synapse-core_2.1.7.wso2v131.jar:2.1.7-wso2v131]
at org.apache.synapse.core.axis2.SynapseMessageReceiver.receive(SynapseMessageReceiver.java:98) [synapse-core_2.1.7.wso2v131.jar:2.1.7-wso2v131]
at org.apache.axis2.engine.AxisEngine.receive(AxisEngine.java:180) [axis2_1.6.1.wso2v38.jar:?]
at org.apache.synapse.transport.passthru.ServerWorker.processNonEntityEnclosingRESTHandler(ServerWorker.java:367) [synapse-nhttp-transport_2.1.7.wso2v131.jar:?]
at org.apache.synapse.transport.passthru.ServerWorker.processEntityEnclosingRequest(ServerWorker.java:412) [synapse-nhttp-transport_2.1.7.wso2v131.jar:?]
at org.apache.synapse.transport.passthru.ServerWorker.run(ServerWorker.java:181) [synapse-nhttp-transport_2.1.7.wso2v131.jar:?]
at org.apache.axis2.transport.base.threads.NativeWorkerPool$1.run(NativeWorkerPool.java:172) [axis2_1.6.1.wso2v38.jar:?]
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) [?:1.8.0_222]
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) [?:1.8.0_222]
at java.lang.Thread.run(Thread.java:748) [?:1.8.0_222]
Those are the keys provided by https://my_is_ip:my_port/oauth2/jwks:
{
"keys":[
{
"kty":"RSA",
"e":"AQAB",
"use":"sig",
"kid":"ZDgzMWM0MTU3NGI3ODkyYTVkN2Q2N2NmYzI5ZWU4ZjcxYTcyYzlkZA",
"alg":"RS256",
"n":"nwcvFrmKaAV3WLgNaronqMHZB5BK7czaRwaKAyM0PTR1KzSa3DJw3CtLtcyz6zvU72JmgFMRyu65H_ly51bCOI6UrpJrKs9bW50fVgjrlqAkCHYIP81s6YgmmLJ-LVZqhAN8g8FH_3b27zbzZ6crspaDmFjSfou4t_A6UTSvQRFbCzp9i5WmQLRHHDy74v9zJWeXCSVA9CknXV4dqpPGMVjJOQzmcaRmZs_rWpdasQUul-D59pY22FrtIziZDLVTerGDGir_dJJboFCzS_DXRch44NJk3cU4lrCcsAP2RXyNhVjJPgmilEnr1aRnxY-WNm_5QKGh37Ez8dLJVVw6LQ"
},
{
"kty":"RSA",
"e":"AQAB",
"use":"sig",
"kid":"ZDgzMWM0MTU3NGI3ODkyYTVkN2Q2N2NmYzI5ZWU4ZjcxYTcyYzlkZA_RS256",
"alg":"RS256",
"n":"nwcvFrmKaAV3WLgNaronqMHZB5BK7czaRwaKAyM0PTR1KzSa3DJw3CtLtcyz6zvU72JmgFMRyu65H_ly51bCOI6UrpJrKs9bW50fVgjrlqAkCHYIP81s6YgmmLJ-LVZqhAN8g8FH_3b27zbzZ6crspaDmFjSfou4t_A6UTSvQRFbCzp9i5WmQLRHHDy74v9zJWeXCSVA9CknXV4dqpPGMVjJOQzmcaRmZs_rWpdasQUul-D59pY22FrtIziZDLVTerGDGir_dJJboFCzS_DXRch44NJk3cU4lrCcsAP2RXyNhVjJPgmilEnr1aRnxY-WNm_5QKGh37Ez8dLJVVw6LQ"
}
]
}
This is the result of postman call:
<ams:fault xmlns:ams="http://wso2.org/apimanager/security">
<ams:code>900900</ams:code>
<ams:message>Unclassified Authentication Failure</ams:message>
<ams:description>Unclassified Authentication Failure</ams:description>
</ams:fault>
This is the JWT token:
HEADER
{
"x5t": "ZDgzMWM0MTU3NGI3ODkyYTVkN2Q2N2NmYzI5ZWU4ZjcxYTcyYzlkZA",
"kid": "ZDgzMWM0MTU3NGI3ODkyYTVkN2Q2N2NmYzI5ZWU4ZjcxYTcyYzlkZA_RS256",
"alg": "RS256"
}
PAYLOAD
{
"at_hash": "hGnuod6ShKRrlkH_P-k4QA",
"sub": "d6206844-e54b-4ec2-8ace-26b46da24df2",
"ver": "1.0",
"richAccettazionePrivacy": "***************",
"iss": "https://***************:9443/oauth2/token",
"given_name": "***************",
"richAttivazioneCarta": "***************",
"tid": "962b4d1f-a68b-433e-aa78-265ef05d1047",
"aud": [
"dSdZgafomIsRXYQr6XyxIZyjp74a",
"***************"
],
"nbf": 1580399831,
"azp": "dSdZgafomIsRXYQr6XyxIZyjp74a",
"extension_codiceFiscale": "***************",
"scope": "openid",
"auth_time": "1580399827",
"name": "***************",
"exp": 1580403431,
"iat": 1580399831,
"personaId": "***************",
"family_name": "***************",
"jti": "c3b8c9bf-029c-4e51-8969-07f898e5654f",
"email": "***************"
}
how to solve this problem?
The public certificate of the private key that is used to sign the
tokens should be added to the trust store under the
"gateway_certificate_alias" alias. For more information, see Import
the public certificate into the client trust store.
Ref: https://apim.docs.wso2.com/en/3.0.0/Learn/APISecurity/OAuth2/AccessTokenTypes/jwt-tokens/
we solved adding the Identity Server public certificate to the Api Manager client-truststore with alias equal to Kid present in the token header.
As you can see there is no public certificate for alias ZDgzMWM0MTU3NGI3ODkyYTVkN2Q2N2NmYzI5ZWU4ZjcxYTcyYzlkZA_RS256. What you can do is
Navigate to the IS_HOME/repository/resources/security/ directory.
keytool -export -alias wso2carbon -file wso2.crt -keystore wso2carbon.jks run this code in that directory. password is wso2carbon.
This will create a copy of wsp2carbon certificate copy.
keytool -import -trustcacerts -keystore client-truststore.jks -alias ZDgzMWM0MTU3NGI3ODkyYTVkN2Q2N2NmYzI5ZWU4ZjcxYTcyYzlkZA_RS256 -file wso2.crt run this code in API-M_HOME/repository/resources/security/to add wso2carbon public key to trust store.
I'm trying to put a bucket replication cross account by AWS CLI:
aws s3api put-bucket-replication --bucket "mybucket"
--replication-configuration "{\"Role\": \"arn:aws:iam::xxxxxxx:role/buckets-replication\", \"Rules\": [{
\"Status\": \"Enabled\", \"Priority\": 1, \"DeleteMarkerReplication\":
{ \"Status\": \"Enabled\" }, \"Destination\": { \"Bucket\":
\"arn:aws:s3:::mybucket-destination\", \"AccessControlTranslation\": {
\"Owner\": \"Destination\" } } }]}" --region "eu-west-1" --profile
default
and I get this error:
An error occurred (MalformedXML) when calling the PutBucketReplication
operation: The XML you provided was not well-formed or did not
validate against our published schema
The corresponding Xml is:
<ReplicationConfiguration xmlns="http://s3.amazonaws.com/doc/2006-03-01/">
<Role>string</Role>
<Rule>
<Status>string</Status>
<Priority>integer</Priority>
<DeleteMarkerReplication>
<Status>string</Status>
</DeleteMarkerReplication>
<Destination>
<Bucket>string</Bucket>
<AccessControlTranslation>
<Owner>string</Owner>
</AccessControlTranslation>
</Destination>
</Rule>
</ReplicationConfiguration>
I really don't see what is wrong in the syntax. I followed this documentation: https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutBucketReplication.html#AmazonS3-PutBucketReplication-request-Role
It seems that
<DeleteMarkerReplication>
<Status>string</Status>
</DeleteMarkerReplication>
is required, even if set to Disabled.