Every aws command fails with different errors without --profile flag - amazon-web-services

Disclaimer: I do have variable AWS_PROFILE set to default and echo $AWS_PROFILE does return default.
However though, my simple aws commands are failing if I do not pass --profile flag with it.
For example,
if I do aws2 s3 ls, then it fails with error : An error occurred (InvalidToken) when calling the ListBuckets operation: The provided token is malformed or otherwise invalid.
when I do, aws2 ec2 describe-instances, it fails with error An error occurred (AuthFailure) when calling the DescribeInstances operation: AWS was not able to validate the provided access credentials
even though message is different, the underlying problem is same. If I do aws2 s3 ls --profile default then it works fine, same with aws2 ec2 describe-instances command.
I have no idea how to not need the --profile flag even though I do have AWS_PROFILE set.
my credentials file look like following:
[default]
aws_access_key_id = AKIA****
aws_secret_access_key = VpR***
My config file looks like following:
[default]
region = us-west-1
output = json
I have set following two enviroment variables:
AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY. Also, Ihave echoed their values back and made sure that the values are same exact as in credentials file.
any ideas?

Use unset AWS_PROFILE to remove profile plag.
Run aws configure to update the credential
Make sure your machine time is correct.

The profile referenced by AWS_PROFILE is invalid or expired. Your default profile is valid. That is why you see the error behavior. Check all credentials via cat ~/.aws/configure and remove or correct any that are invalid.

Related

InvalidClientTokenId error aws when trying to get caller identity

hi I am unable to run this command aws sts get-caller-identity.
when I do sudo nano ~/.aws/credentials I can only locate this
[default]
aws_access_key_id = my_id
aws_secret_access_key = my_secret_id
and after doing successful steps of command aws configure when I am doing aws sts get-caller-identity I am getting this error
An error occurred (InvalidClientTokenId) when calling the GetCallerIdentity operation: The security token included in the request is invalid.
any reason which could cause this ?
Sometimes this kind of issues are caused by another credential configuration.
Environment variables credential configuration takes prority over credentials config file.
So in case there are present the environment variables "AWS_ACCESS_KEY_ID", "AWS_SECRET_ACCESS_KEY" or "AWS_SESSION_TOKEN" these could generate issues if it were missconfigured or have been expired.
Try checking the env vars associated to AWS Credentials and removing them using the 'unset' command in linux.
Additionally, to remove env vars permanently you need to remove the lines related on configuration files like:
/etc/environment
/etc/profile
~/.profile
~/.bashrc
Reference:
Configuration settings and precedence
I had my default region disabled by default (eu-south-1), so I had to enable it via the Web console at first, then it worked.

I need to use aws_session_token with puppetlabs-aws

At my work, when using aws cli we use aws_session_token. I don't see anything in puppetlabs-aws support for aws_session_token. Any ideas?
AWS_SESSION_TOKEN is usually used when you're obtaining temporary credentials from AWS security token service (STS). This is usually when you make the call to Assume a role. So a lot of this depends on how you've got your command line set up:
If you are explcitly calling assume role like this:
aws sts assume-role --role-arn "arn:aws:iam::123456789012:role/RoleToAssume" --role-session-name AWSCLI-Session
You should get back a response with three variables:
AWS_ACCESS_KEY_ID
AWS_SECRET_ACCESS_KEY
AWS_SESSION_TOKEN
You should just be able to export each of these as environment variables and then run puppet apply.
If you are not explicitly calling assume role and are using instance profiles, puppet should automatically find these 3 variables.
If you are calling assume role via AWS_PROFILES in your ~/.aws/config then it should just be sufficient to run puppet apply after setting the AWS_PROFILE environment variable.
You may also want to consider using the newer puppetlabs amazon_aws module which superseeds puppetlabs/aws.

Empty result from aws configure get aws_access_key_id

I currently have an AWS cli profile set up that I can query using the below powershell command:
aws configure list --profile <ProfileName>
This returns the expected info about profile name, access_key and so on.
However, when trying to get just the access key, I get nothing back. The command I am running is aws configure get aws_access_key_id --profile <ProfileName>
What could be the cause of this?
aws iam list-access-keys
Try to use this command. It should work.

UnrecognizedClientException error when authenticating on aws-cli

When I pull a clean Alphine Linux Docker image, install aws-cli on it and try to authenticate myself with aws ecr get-authorization-token --region eu-central-1 I keep getting the following error:
An error occurred (UnrecognizedClientException) when calling the
GetAuthorizationToken operation: The security token included in the
request is invalid.
I've already checked the timezone which seem to be okay, and the command works properly on my local machine.
These are the commands I run to set up aws-cli:
apk add --update python python-dev py-pip
pip install awscli --upgrade
export AWS_ACCESS_KEY_ID=XXXXXXXXXXXXXXXXXXXX
export AWS_SECRET_ACCESS_KEY=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Is there something obvious I'm missing?
You don't have permission to access those resources until you get permission to aws-cli, for that you can use the below steps.
Log into your AWS account, click on your account name, select my security credentials, click on access keys and download the credentials
Open your PowerShell as administrator and follow the commands.
$ aws configure
$ AWS Access Key ID [****************E5TA]=xxxxxxxxxx
$ AWS Secret Access Key [****************7gNT]=xxxxxxxxxxxxxx
It was an access issue after all! Turns out that if you create a new IAM user with full admin access it can't by default access the ECR registry you created using a different account. Using the IAM credentials from that other account resolved the issue.
In my case, my ~/.aws/credentials file had an old aws_session_token that was not updated by the aws configure CLI command. Once I opened the file with vi ~/.aws/credentials and deleted the aws_session_token entry, I no longer encountered the UnrecognizedClientException. I'm guessing that the AWS CLI first gives priority to the aws_session_token over the aws access key id and aws secret access key when running AWS CLI commands, if aws_session_token is present in the ~/.aws/credentials file.
Create a new account with AmazonEC2ContainerRegistryFullAccess permission.
Add this account to the .credentials file like this:
[ecr-user]
aws_access_key_id = XXX
aws_secret_access_key = XXX
Then next use following command:
aws ecr get-login-password --profile ecr-user
What worked for me is:
on the first part of pipe add the param --profile < your-profile-name >
and after that in every ECR command you need to provide that parameter.
My issue was caused by the fact that I had inactivated my access key in the AWS IAM Management Console earlier as part of an exercise I was doing. Once I reactivated it, the problem was resolved.
(Make sure you're in the right AWS region, too.)
I had same error message however I was using session based AWS access . The solution is to add all the keys given by AWS including session token.
aws_access_key_id="your-key-id"
aws_secret_access_key="your-secret-access-key"
aws_session_token="your-session-token"
add it into ~/.aws/credentials for profile you are using .
After a couple of hours , this is my conclusion :
If you want to use AWS_PROFILE makes sure that the rest of AWS env vars are unset (NOT empty only ... MUST be UNSET).
profile=$AWS_PROFILE
unset $(printenv |grep AWS_ | cut -f1 -d"=");
export AWS_PROFILE=${profile};
Then :
# with aws cli >= 1.x
$(aws ecr get-login --no-include-email --region ${aws_region})
# with aws cli >= 2.x
registry=${aws_account_id}.dkr.ecr.${aws_region}.amazonaws.com
aws ecr get-login-password --region ${aws_region} | docker login --username AWS --password-stdin ${registry}
Resolved issue after following below:
Go to AWS IAM Management Console
Generate credential in section "Access keys (access key ID and secret access key)"
Run command aws configure and set same downloaded credentials in Cdrive-User-directory.aws\credentials
It wasn't working for me. Out of sheer desperation, I copied the lines starting with export and posted them in the terminal and pressed enter.
Thereafter I wrote aws configure and filled in the details from https://MYCOMPANY.awsapps.com/start#/ >> Account >> Clicked "Command line or programmatic access".
Default region name: eu-north-1
Default output format: text
And then the login succeeded. Don't ask my why.
open the file ~/.aws/credentials (or c:\Users\{user}\.aws\credentials on Windows)
It might look something like the following:
[default]
aws_access_key_id = XXXXX
aws_secret_access_key = XXXXX
aws_session_token = XXXXX
Update the aws_access_key_id and aws_secret_access_key with new values and remove the aws_session_token. You can also update aws_access_key_id and aws_secret_access_key via the aws configure command, but this doesn't remove the session token.
Try running echo $varname to see if the environment variables are set correctly:
echo $AWS_ACCESS_KEY_ID
echo $AWS_SECRET_ACCESS_KEY
echo $AWS_DEFAULT_REGION
If they are incorrectly set, run unset varname:
unset AWS_ACCESS_KEY_ID
unset AWS_SECRET_ACCESS_KEY
unset AWS_DEFAULT_REGION
In my case, the region I wanted to use was not enabled. Addressed by enabling it at Account > AWS Regions -> enable (and wait patiently for some minutes).
An update, --profile must be added, I solve this.

AWS CLI Unknown component: credential_provider

Ive been trying to setup an aws lambda function for a while now but seem to just keep running into this error. I've followed the basic tutorial and setup everything exactly as it is in the guide for the user I have. But no matter what I keep getting the Unknown component: credential_provider error when trying to do anything via the CLI. Has anyone else run into this or know of a more indepth/better tutorial for setting this up????
The examples show the call being made with a --profile parameter. In most cases you will just want to remove that. If you need to use a profile, then create one in your ~/.aws/config file and make sure the name you give it matches up with the name being used.
I found that I got this error when I told aws-cli to use a profile that didn't exist. (This can be through the --profile option or the AWS_DEFAULT_PROFILE environment variable.)
Check your .aws/config and .aws/credentials files.
Run aws config first, then execute aws lambda create-function ... without the option --profile.
I had the same issue then I realized the issue was because I only had a default profile in my ~/.aws/credentials. Open up the file and see what the profile name is on the first line. Then when you run the create-function you can do --profile <profile name goes here>
While running S3 commands using CLI I received the same error
Unknown component: credential_provider.
The command I ran was :
s3 sync s3://mybucket --region eu-central-1 --profile default
This error comes when I run this command as a sudo user.
So I would suggest run it without sudo. One more thing it does not work with any other user also like for user "test" it would give error :
A client error (AccessDenied) occurred when calling the ListObjects
operation: Access Denied
or something like this for any other cli utility.
It works with default user ubuntu. Login the machine with ubuntu user or change the user to ubuntu and then try running the same lamda function.