My aws is suddenly throwing error everywhere since yesterday.
(on windows terminal, WSL2 ubuntu) Couple days ago terraform worked fine. So I know aws credentials are accurate but to be sure I did
aws configure --profile mohit
Access Key ID [None]: aws_access_key_id
Secret Access Key [None]: default_secret_key
Default region name [None]: us-east-1
Default output format [None]: json
and executed
aws ec2 --profile mohit describe-instances --region ap-south-1
IAM user has Administrator access.So that rules out permission issues.
Also I tried Bunch of different regions, none worked.
An error occurred (AuthFailure) when calling the DescribeInstances operation: AWS was not able to validate the provided access credentials
This error is consistent.
AWS says time might be out of sync with amazon.
I tried the solution and
ntpdate[172]: the NTP socket is in use, exiting this error popped.
Also
sudo service ntp stop
>> ntp: unrecognized service
and
Fatal error : adjtimex(0x8001) failed : Function not implemented on trying to do chronyd on WSL2 ubuntu.
How do I fix this?
UPDATE :
I checked my BIOS and clock was off by 5 min there as well (I would love to know the reason) So I manually set it to time.gov UTC.
Problem Solved, but Reason is still unknown!
We're having an issue where we're on a CentOS EC2 instance that is using a role through an attached instance profile. When we're on the console after SSHing in, we run the python awscli command line tool to get our identity:
$ aws sts get-caller-identity
we're getting
An error occurred (InvalidClientTokenId) when calling the GetCallerIdentity operation: The security token included in the request is invalid
other commands, such as aws ec2 describe-instances work and are allowed by the instance profile.
From reading the AWS documentation, no permissions should be required to get-caller-identity and there's no explicit deny set on the role associated with instance.
We checked and there's no .aws/credentials file and no env variables set, so access should be entirely managed through the metadata service on the EC2 instance.
Is there something missing in our setup or invocation of the awscli that might cause the permission to fail?
Just documenting the fix for anyone that runs into this issue.
All calls to the awscli should probably include a --region <region> parameter.
E.g.
$ aws sts get-caller-identity --region us-east-2
We were prompted for the region on our aws ec2 describe-instances call but on the aws sts get-caller-identity call, it just failed.
Additionally, we found that the AWS_REGION environment variable didn't seem to affect calls: we still needed to include the --region <region> parameter.
After installing awscli (the AWS command line tool), when I try to run it. I get this message in the terminal:
$ aws dynamodb describe-table --table-name MyTable
An error occurred (AccessDeniedException) when calling the DescribeTable operation:
User: arn:aws:iam::213352837455:user/someuser is not authorized to
perform: dynamodb:DescribeTable on resource: arn:aws:dynamodb:ap-northeast-1:213352837455:table/MyTable
$
But I don't know why I am considered logged as someuser at this moment (in the terminal in particular, but even in AWS).
someuser is only one of the few users I have set on AWS, a while ago.
What is the way to get logged in as the right user, to use awscli?
If you are running the AWS Command-Line Interface (CLI) on an Amazon EC2 instance that has been assigned a role, then the CLI can use the permissions associated with that role.
If you are not running on an EC2 instance, then you can provide credentials via a credentials file (~/.aws/credentials) or an environment variable.
The easiest way to configure the credentials is:
$ aws configure
See: Configuring the AWS CLI
Maybe your old credentials are still stored in ~/.aws.
Log in with correct credentials
aws configure
For more info see Configuring the AWS CLI
in official documentation.
I'm trying to set up Amazon AWS EC2 instance to talk to s3. The basic command is
aws configure
then follow the prompt to enter
AWS Access Key ID [None]: my-20-digit-id
AWS Secret Access Key [None]: my-40-digit-secret-key
Default region name [None]: us-east-1
Default output format [None]: text
However, what I really want is to have the command
aws configure
automatically without interaction, i.e., no prompt and wait for input
I know there are files at
~.aws/credentials
~.aws/config
where I put those 4 key=value pairs. And the "credentials" file looks like
[default]
aws_secret_access_key = my-40-digit-secret-key
aws_access_key_id = my-20-digit-id
while the "config" file looks like
[default]
region = us-east-1
output = text
However, with those file at ~/.aws/, I get into ~/.aws/, and at the command line, I type and enter command
aws configure
I still got the prompt to ask me
AWS Access Key ID [None]:
AWS Secret Access Key [None]:
Default region name [None]:
Default output format [None]:
If I don't enter valid values at prompt, I won't be able to connect to s3, for example via command
aws s3 ls s3://mybucket
I turned help to amazon aws documentation pages. At this page, it mentions this option
"Command line options – region, output format and profile can be specified as command options to override default settings."
as the first option for aws configure
https://docs.aws.amazon.com/cli/latest/userguide/cli-chap-getting-started.html
However, it didn't mention how to use the command line options. I tried something like this
aws configure --region us-east-1
but I still got
AWS Access Key ID [None]:
AWS Secret Access Key [None]:
Default region name [None]:
Default output format [None]:
exactly like I have no option of "--region us-east-1"
If I try to
aws configure --aws_access_key_id my-20-digit-id --aws_secret_access_key my-40-digit-secret-key --region us-east-1
I get this
usage: aws [options] <command> <subcommand> [parameters]
aws: error: argument subcommand: Invalid choice, valid choices are:
How I can run the command
aws configure
automatically, no prompt, no interaction.
Please help! TIA
Edit and response to helloV, as the format in main post is much clearer than comment.
I tried the command helloV mentioned, but I got error
aws configure set aws_access_key_id my-20-digit-id
usage: aws [options] <command> <subcommand> [parameters]
aws: error: argument subcommand: Invalid choice, valid choices are:
Thanks though.
Continue on "aws configure set"
On another EC2 instance where I've already set connection to s3, I enter
aws configure set region us-east-1
runs and returns to command prompt ">"
aws configure set aws_access_key_id my-20-digit-id
runs and returns to command prompt ">"
aws configure set aws_secret_access_key my-40-digit-secret-key
runs and returns to command prompt ">"
aws configure
runs but comes with prompts and waits for interaction
AWS Access Key ID [****************ABCD]:
AWS Secret Access Key [****************1234]:
Default region name [us-east-1]:
Default output format [text]:
helloV:
here is my screen looks like
ubuntu#ip-11111:~/.aws$ more config
[default]
region = us-east-1
output = text
ubuntu#ip-11111:~/.aws$ more credentials
[default]
aws_secret_access_key = my-40-digit-secret-key
aws_access_key_id = my-20-digit-id
ubuntu#ip-11111:~/.aws$ aws s3 ls s3://
I got this
Unable to locate credentials. You can configure credentials by running "aws configure".
After this, I run
aws configure list
Name Value Type Location
---- ----- ---- --------
profile <not set> None None
access_key <not set> None None
secret_key <not set> None None
region us-east-1 config_file ~/.aws/config
Looks like it does not check ~/.aws/credentials file, but ~/.aws/config file is in the list.
These commands worked for me. If this doesn't works for you. Try do the first time using the interaction mode aws configure
aws --profile default configure set aws_access_key_id "my-20-digit-id"
aws --profile default configure set aws_secret_access_key "my-40-digit-secret-key"
I figured out, finally. Use export such as
export AWS_ACCESS_KEY_ID=my-20-digit-id
export AWS_SECRET_ACCESS_KEY=my-40-digit-secret-key
export AWS_DEFAULT_REGION=us-east-1
then run
aws s3 ls s3://
would work. Don't run "aws configure" as others mentioned.
Thank you all.
You describe the file very well. Why not just create a file and put it in the right place? I just tried... it's exactly the same as running aws configure
UPDATE: You mention that you want to access S3 from EC2 instance. In this case you shouldn't be using credentials at all. You should user Roles instead
The solution is that you actually don't have to run aws configure! After you run it for the 1st time and established the credentials (~/.aws/credentials) and config (~/.aws/config), going forward you simply have to run the required aws command. I tested this with a cron job and did a "aws s3 ls" command and it worked without having to provide a configure command before it.
Follow this command
$aws configure set aws_access_key_id default_access_key
$ aws configure set aws_secret_access_key default_secret_key
$ aws configure set default.region us-west-2
or
aws configure set aws_access_key_id <key_id> && aws configure set aws_secret_access_key <key> && aws configure set default.region us-east-1
For more details use this link
https://awscli.amazonaws.com/v2/documentation/api/latest/reference/configure/set.html
I use something like this:
aws configure --profile my-profile-name <<-EOF > /dev/null 2>&1
${AWS_ACCESS_KEY_ID}
${AWS_SECRET_ACCESS_KEY}
${AWS_REGION}
text
EOF
also to cleanup after automated process, and not remove `~/.aws/ directory (since some other credentials might be stored there) I run:
aws configure --profile my-profile-name <<-EOF > /dev/null 2>&1
null
null
null
text
EOF
I am working through the examples and I simply can't listen the tables like in the given cli example.
My cli parameters
java -Djava.library.path=./DynamoDBLocal_lib -jar DynamoDBLocal.jar -inMemory
aws dynamodb list-tables --endpoint-url http://localhost:8000
Then it always asks me for a region and points me to "aws configure". When I entered nothing in the credentials and local as region I get:
Unable to locate credentials. You can configure credentials by running "aws configure".
What am I doing wrong? I just want to play around locally to get more familiar with the cli interface before I use the cloud itself. Bugs me a but that I cant get it work.
Thanks for any hints!
When running DynamoDB local, you don't need valid keys, but do put a valid region. For example, when running aws configure put any key for aws access key id, any key for aws secret access key and type us-east-1 or us-west-1 etc for regions.
Try running again the command, it should work.