I am trying to launch a cloudformation stack via the jenkins-cloudformation plugin from a template stored in git but I receive an error "Invalid Client Id" even though I give proper access_key and secret_key.
Besides, an appropriate IAM role is attached to the ec2 instance on which jenkins is running and the instance metadata is accessible to jenkins user.
And this error comes up irrespective of whether I pass secretKey, accessKey in jenkins configuration or not.
Can someone please guide me where it's going wrong.
Error
Building in workspace /apps/jenkins/.jenkins/workspace/Cloudformation_Test
> /usr/bin/git rev-parse --is-inside-work-tree # timeout=10
Fetching changes from the remote Git repository
> /usr/bin/git config remote.origin.url https://xxxx.git # timeout=10
Fetching upstream changes from https://xxxx.git
> /usr/bin/git --version # timeout=10
using GIT_ASKPASS to set credentials Gitlab user webadmdeamon to perform CICD with Jenkins
> /usr/bin/git fetch --tags --progress https://xxx.get +refs/heads/*:refs/remotes/origin/*
> /usr/bin/git rev-parse refs/remotes/origin/master^{commit} # timeout=10
> /usr/bin/git rev-parse refs/remotes/origin/origin/master^{commit} # timeout=10
Checking out Revision 827b91075eb0ae5901b641a7588b9b5769ad2ce7 (refs/remotes/origin/master)
> /usr/bin/git config core.sparsecheckout # timeout=10
> /usr/bin/git checkout -f 827b91075eb0ae5901b641a7588b9b5769ad2ce7
Commit message: "Add new file"
> /usr/bin/git rev-list --no-walk 827b91075eb0ae5901b641a7588b9b5769ad2ce7 # timeout=10
Determining to create or update Cloud Formation stack: JenkinsCloudformationTest
Stack not found: JenkinsCloudformationTest. Reason: Detailed Message: The security token included in the request is invalid. (Service: AmazonCloudFormation; Status Code: 403; Error Code: InvalidClientTokenId; Request ID: be71618c-3027-11e9-8d00-45421bf87ce0)
Status Code: 403
Error Code: InvalidClientTokenId
Creating Cloud Formation stack: JenkinsCloudformationTest
Failed to create stack: JenkinsCloudformationTest. Reason: Detailed Message: The security token included in the request is invalid. (Service: AmazonCloudFormation; Status Code: 403; Error Code: InvalidClientTokenId; Request ID: be73364d-3027-11e9-8d00-45421bf87ce0)
Status Code: 403
Error Code: InvalidClientTokenId
Finished: FAILURE
EDIT---
I am able to create a stack using aws cli in the same ec2 instance and with the same user.
The log shows that your issue is authentication-related:
Reason: Detailed Message: The security token included in the request is invalid.
(Service: AmazonCloudFormation; Status Code: 403; Error Code: InvalidClientTokenId; Request
ID: be71618c-3027-11e9-8d00-45421bf87ce0)
Status Code: 403
Error Code: InvalidClientTokenId
The problem could be either a bug in the Jenkins plugin or (more likely) a problem with the keys you are providing to the plugin.
The source code for the plugin (code ref), meanwhile, appears to indicate that the plugin always tries to use the access keys you provide. If you leave the key fields blank I guess it tries empty strings as the keys. Thus, the IAM role attached to the instance is probably not relevant.
Note that the error you receive InvalidClientTokenId is documented here:
InvalidClientTokenId
The X.509 certificate or AWS access key ID provided does not exist in our records.
HTTP Status Code: 403
Now, you mention in your update that:
I am able to create a stack using aws cli in the same ec2 instance and with the same user.
So firstly, try that again, and then have a look in CloudTrail. Filter by EventName=CreateStack, and then you'll see something like this:
Is it really the same user and Access Key?
I suspect you're going to find that it isn't, and the fix for you will be to provide correct Access Keys. If not, let me know and we can consider other possibilities.
Related
I am new in GCP. I added bucket
gsutil mb -p chris02 gs://chris02-state-bucket
When I try to initialize project
terraform init
Initializing the backend...
Error loading state: Failed to open state file at gs://chris02-state-bucket/m3/gcs_state/default.tfstate: googleapi: got HTTP response code 403 with body: <?xml version='1.0' encoding='UTF-8'?><Error><Code>UserProjectAccountProblem</Code><Message>User project billing account not in good standing.</Message><Details>The billing account for the owning project is disabled in state absent</Details></Error>
these are the bucket permissions
what else should I check?
Using AWS CDK, I am trying to deploy the Docker image with lambda function on AWS. And I am getting the following error.
[100%] fail: docker login --username AWS --password-stdin https://XXXXXXXXXXXX.dkr.ecr.us-east-1.amazonaws.com exited with error code 1: Error saving credentials: error storing credentials - err: exit status 1, out: `Post "http://ipc/registry/credstore-updated": dial unix /Users/my_mac/Library/Containers/com.docker.docker/Data/backend.sock: connect: connection refused`
❌ MyService (prj-development) failed: Error: Failed to publish one or more assets. See the error messages above for more information.
at publishAssets (/Users/my_mac/.npm/_npx/8365afa3375eae8d/node_modules/aws-cdk/lib/util/asset-publishing.ts:44:11)
at processTicksAndRejections (node:internal/process/task_queues:96:5)
at CloudFormationDeployments.publishStackAssets (/Users/my_mac/.npm/_npx/8365afa3375eae8d/node_modules/aws-cdk/lib/api/cloudformation-deployments.ts:464:7)
at CloudFormationDeployments.deployStack (/Users/my_mac/.npm/_npx/8365afa3375eae8d/node_modules/aws-cdk/lib/api/cloudformation-deployments.ts:339:7)
at CdkToolkit.deploy (/Users/my_mac/.npm/_npx/8365afa3375eae8d/node_modules/aws-cdk/lib/cdk-toolkit.ts:209:24)
at initCommandLine (/Users/my_mac/.npm/_npx/8365afa3375eae8d/node_modules/aws-cdk/lib/cli.ts:341:12)
Failed to publish one or more assets. See the error messages above for more information.
make: *** [deploy-local] Error 1
What can I do, please?
Before deployment, open the Docker app/daemon on your machine.
When I use
aws-vault exec --no-session --debug role_name
I get:
2020/06/09 13:57:13 [keyring] Found item "aws-vault (default)"
aws-vault: error: exec: Failed to get credentials for role_name: InvalidClientTokenId: The security token included in the request is invalid.
status code: 403, request id: 05bf31bd-091e-4f18-83c5-7add3e1bccb8
First of all I thought about incorrect password, but when tried to put an incorrect password purposely, Mac Os ask again for the correct password.
I have the ~/.aws/config and ~/.aws/credentials with the correct setup.
Had the same error after rotating AWS credentials.
Deleted ~/Library/Keychains/aws-vault.keychain-db and executed aws-vault add default which created a new keychain and aws-vault started working again.
If you are on MacOS, you can probably edit the keychain directly.
We have a process that will download files from S3, make changes to the files, and then upload the updated file back to S3. This works fine 99+% of the time. However, it seems that there are transient issues with S3 that cause this to fail for short periods of time, generating 403 (Forbidden) responses.
For example, log entries from one such incident the other day
2018-05-02 19:01:19 INFO Downloaded file
2018-05-02 19:01:20 INFO Uploaded file
2018-05-02 19:01:20 INFO Updated key (renamed file)
2018-05-02 19:27:26 INFO Downloaded file
2018-05-02 19:27:26 ERROR Failed to download file, cause: com.amazonaws.services.s3.model.AmazonS3Exception: Forbidden (Service: Amazon S3; Status Code: 403; Error Code: 403 Forbidden; )
2018-05-02 19:27:26 INFO Downloaded file
2018-05-02 19:27:26 ERROR Failed to download file, cause: com.amazonaws.services.s3.model.AmazonS3Exception: Forbidden (Service: Amazon S3; Status Code: 403; Error Code: 403 Forbidden; )
2018-05-02 19:27:27 ERROR Failed to download file, cause: com.amazonaws.services.s3.model.AmazonS3Exception: Forbidden (Service: Amazon S3; Status Code: 403; Error Code: 403 Forbidden; )
2018-05-02 19:27:27 INFO Downloaded file
2018-05-02 19:27:27 INFO Uploaded file
2018-05-02 19:27:28 ERROR Failed to upload file, cause: com.amazonaws.services.s3.model.AmazonS3Exception: Forbidden (Service: Amazon S3; Status Code: 403; Error Code: 403 Forbidden; )
2018-05-02 19:27:28 INFO Downloaded file
2018-05-02 19:27:28 ERROR Failed to download file, cause: com.amazonaws.services.s3.model.AmazonS3Exception: Forbidden (Service: Amazon S3; Status Code: 403; Error Code: 403 Forbidden; )
2018-05-02 20:30:32 INFO Downloaded file
2018-05-02 20:30:32 ERROR Failed to download file, cause: com.amazonaws.services.s3.model.AmazonS3Exception: Forbidden (Service: Amazon S3; Status Code: 403; Error Code: 403 Forbidden; )
2018-05-02 20:30:32 INFO Downloaded file
2018-05-02 20:30:32 ERROR Failed to download file, cause: com.amazonaws.services.s3.model.AmazonS3Exception: Forbidden (Service: Amazon S3; Status Code: 403; Error Code: 403 Forbidden; )
2018-05-02 20:30:32 INFO Downloaded file
2018-05-02 20:30:33 INFO Uploaded file
These entries were all from the same file. It was successfully download, modified and uploaded again. 30 minutes later, it took 4 attempts to download it, then the upload failed. 3 minutes after that, it took 3 attempts to download, then it was successfully uploaded.
We are using the AWS Java SDK client for this. Has anyone had a similar experience and figured out how to resolve? Is it considered normal for S3 calls to fail occasionally even though the requests are valid?
I had similar issues with other cloud object providers, not with S3.
The solution taken was to handle the 403 response (log it to find any kind of pattern or concrete file object) and redo the request up to a maximum number of times.
Generally, upon the first 403 response, the second request was done, and received the 200 Ok.
In our case, problems were solved after the provider did updates in few of the problematic nodes It was a matter of updates. This can give you a clue, in order to workaround the inconsistency:
Try to create a different bucket. It might be a concrete bucket configuration bug in aws side. Move your files there. Keep it under observation and check if the 403 cases got reduced or even disappear.
Create a different bucket in another region (the closest maybe) it can give you better clues about possible networking issues.
Use a different object storage. If the issue still arise, then the most probable is that any of the modules you use is inconsistent with the current version/protocol of S3. Make sure you update to the last version any S3 or aws wrapper library you use in your project.
I managed to install cf on aws ec2 followingthe guide http://docs.cloudfoundry.com/docs/running/deploying-cf/ec2/
after some tryes, It seens that all be good with curl api.subdomain.domain/info
returning as expected.
Then I went to the next step, creating a user with this guide: http://docs.cloudfoundry.com/docs/running/managing-cf/managing-users.html
1 - executed:
uaac target uaa.[your-domain].com
got as response:
Context: admin, from client admin
2 - executed:
uaac token client get admin -s [admin-cliente-secret}
got:
Context: admin, from client admin
When i try to execute
uaac user add [test-user] -p [test-password] --emails [testemail]
I getting:
error response:
{
"error": "access_denied",
"error_description": "Access is denied"
}
*Note that the brackets hold valid values
How can I fetch some info about this error, debug it in some way, or find out wath is wrong?
I guess it might be a configuration problem.
Config your UAA configuration file like this.
https://groups.google.com/a/cloudfoundry.org/forum/#!starred/vcap-dev/y_qcaCczSVw
https://groups.google.com/a/cloudfoundry.org/forum/#!topic/vcap-dev/eaH4c2OmDEQ