I have attached one IAM role to the aws instance. The role my-role has administrative permissions and sts permissions as well.
I ran the following commands but I get error.
export VAULT_ADDR=https://somevaultsite.com
vault login -tls-skip-verify -address=https://somevaultsite.com -method=aws role=my-role
Error authenticating: Error making API request.
URL: PUT https://somevaultsite.com/v1/auth/aws/login
Code: 400. Errors:
* error making upstream request: received error code 403 from STS: <ErrorResponse xmlns="https://sts.amazonaws.com/doc/2011-06-15/">
<Error>
<Type>Sender</Type>
<Code>InvalidClientTokenId</Code>
<Message>The security token included in the request is invalid</Message>
</Error>
<RequestId>SOME-REQUEST-ID</RequestId>
</ErrorResponse>
And when I run the vault command by passing the region I get the error as
vault login -tls-skip-verify -address=https://somevaultsite.com -method=aws role=my-role region=us-gov-west-1
Error authenticating: Error making API request.
URL: PUT https://somevaultsite.com/v1/auth/aws/login
Code: 400. Errors:
* error making upstream request: received error code 403 from STS: <ErrorResponse xmlns="https://sts.amazonaws.com/doc/2011-06-15/">
<Error>
<Type>Sender</Type>
<Code>SignatureDoesNotMatch</Code>
<Message>Credential should be scoped to a valid region, not 'us-gov-west-1'. </Message>
</Error>
<RequestId>SOME-REQUEST-ID</RequestId>
</ErrorResponse>
I have bounded the role in vault also.
vault write auth/aws/role/my-role auth_type=iam policies=my-policy max_ttl=1h bound_iam_principal_arn=arn:aws-us-gov:iam::xxxxx:role/my-role
Note:- I added -tls-skip-verify option because the certificate is not a valid one.
We should set the sts endpoint
vault write auth/aws/config/client sts_endpoint=https://sts.us-gov-west-1.amazonaws.com
Then run your login command
vault login -tls-skip-verify -address=https://somevaultsite.com -method=aws role=my-role region=us-gov-west-1
Success! You are now authenticated. The token information displayed below is already stored in the token helper. You do NOT need to run "vault login" again. Future Vault requests will automatically use this token.
Here's a Google group link with discussion
Another link for sts.
Related
I have a step of action of type aws:runCommand. It runs for 14+ hours. Everything runs successfully, but when the step attempts to complete, I get this error:
Automation Step Execution fails when it is verifying the command has completed. Get Exception from ListCommands API of ssm Service. Exception Message from ListCommands API: [The security token included in the request is expired (Service: AWSSimpleSystemsManagement; Status Code: 400; Error Code: ExpiredTokenException; Request ID: ...; Proxy: null)]. Please refer to Automation Service Troubleshooting Guide for more diagnosis details
I've attempted to refresh the token by having the last step in my script be aws sts assume-role --role-arn arn:aws:iam::<account_id>:role/<role_name_attached_to_instance> --role-session-name <some_name>.
After this, I can run aws ssm list-commands --command-id <command_id> on the instance and I am not blocked by permissions. I see data data.
If the instance can talk to SSM, I'm not sure why I'm getting this error.
I have created a sample custom app on AWS SSO and tried to authorize users with SAML.
The workflow is as follows:
User clicks custom app logo on SSO console and starts authentication flow. SAML IDP endpoint in this case is the endpoint which was created during custom application creation. Works ok.
AWS redirects to the defined ACS (Nest.js backend API server on localhost) with SAML Response. This also works ok. Response seems to be valid and includes all attributes etc.
Backend API validates the response and calls STS with AssumeRoleWithSAML command which sends the aforementioned SAML response to STS with role and principal ARNs. IDP endpoint is an accounts identity provider which has been created by AWS SSO. This does not work. It produces the following error:
An error occurred (InvalidIdentityToken) when calling the
AssumeRoleWithSAML operation: Invalid base64 SAMLResponse (Service:
AWSOpenIdDiscoveryService; Status Code: 400; Error Code:
AuthSamlInvalidSamlResponseException; Request ID:
55120f74-c9e8-4dac-b416-370b771339e5; Proxy: null)
So basically the problem is that AWS do not accept or is not able to process SAML response which was created by AWS.
What I do not understand here? Different issuer IDs or certificates causing the error?
Should I modify the SAML response before sending it back to AWS?
Edit: I made some changes to attribute mappings (see comments to this message) and it helped. However,now I get another type of error message:
InvalidIdentityToken: Issuer not present in specified provider
(Service: AWSOpenIdDiscoveryService; Status Code: 400; Error Code:
AuthSamlInvalidSamlResponseException;
I resolved this problem by creating a new identity provider on AWS IAM console and using the same custom application SSO meta data.
I have been trying identity federation using SAML from Cloud based SAML provider to an application hosted on AWS S3 bucket. The SAML IdP is posting the SAMLResponse to the configured ACS(An API Gateway endpoint in the web-app). When I use this SAMLResponse with Postman to AssumeRoleWithSAML to get STS tokens, it works all fine with proper response 200. But the same SAMLResponse is not working using CLI (AWS Command Line Interface) getting below error.
I tried with AWS CLI version 1.x as well latest 2.x, response is same.
Command :
aws sts assume-role-with-saml --role-arn arn:aws:iam::123456789:role/xxxxx --principal-arn arn:aws:iam::123456789:saml-provider/xxxx-saml-provider --saml-assertion file://samlresponse.log
Error:
An error occurred (InvalidIdentityToken) when calling the AssumeRoleWithSAML operation: Invalid base64 SAMLResponse (Service: AWSOpenIdDiscoveryService; Status Code: 400; Error Code: AuthSamlInvalidSamlResponseException;
Could not find any good help in knowing whats wrong and the CLI is not giving any meaningful error such as "Token Expired" etc.
Following is a sample POST request using Postman that works fine
https://sts.amazonaws.com/?Version=2011-06-15&Action=AssumeRoleWithSAML&RoleArn=arn:aws:iam::123456789:role/xxxx-saml&PrincipalArn=arn:aws:iam::123456789:saml-provider/xxxx-saml-provider&SAMLAssertion=PD94bWwgdmVyc2lv===
This is resolved. The SAMLResponse used was URL Encoded and for --assume-role-with-saml the base64 value was incompatible. Once the response was decoded with decodeURI function, it worked as expected.
I configured a AWS Cognito user pool few months ago & connected it to node.js application, everything was perfect
Now, I want to connect laravel to AWS Cognito, I followed the instructions in this article
I get the following error
Error executing "AdminInitiateAuth" on "https://cognito-idp.eu-west-1.amazonaws.com"; AWS HTTP error: Client error: `POST https://cognito-idp.eu-west-1.amazonaws.com` resulted in a `400 Bad Request` response:
{"__type":"UnrecognizedClientException","message":"The security token included in the request is invalid."}
UnrecognizedClientException (client): The security token included in the request is invalid. - {"__type":"UnrecognizedClientException","message":"The security token included in the request is invalid."}
I'm every sure the credentials is correct, but I get this error.
Is there any missing configuration in the article?
I've had the same 'problem' following the same article. I've fixed it by verifying my credentials in the .env
AWS_COGNITO_KEY=
AWS_COGNITO_SECRET=
These are the Access Keys of the IAM user
https://github.com/black-bits/laravel-cognito-auth#cognito-user-pool
I am trying to upload a file to an Amazon S3 bucket but am receiving the following error:
Error message The AWS Access Key Id you provided does not exist in our records.
http sttus code 403
awsError code InvalidAccessKeyId
Error type Client
request id EBE24FB4C8A92069
reject by AmazonServiceExceptions
Error message The AWS Access Key Id you provided does not exist in our records.
http sttus code 403
awsError code InvalidAccessKeyId
Error type Client
request id 64332CFB941E77EC
Download FIle
reject by reason
Error message The AWS Access Key Id you provided does not exist in our records.
http sttus code 403
awsError code InvalidAccessKeyId
Error type Client
request id ACA453705B9C4813
The error message says:
The AWS Access Key Id you provided does not exist in our records.
API calls to AWS require credentials to validate your identity. This is normally an Access Key and a Secret Key. The error is indicating that you have an invalid Access Key.
You can obtain the Access Key for your User from the IAM Console.
See: Understanding and Getting Your Security Credentials