I am attempting to setup AWS with an Elastic Beanstalk instance I have previously created. I have entered the various details into the config file, however when I try to use aws.push I get the error message
Updating the AWS Elastic Beanstalk environment x-xxxxxx...
Error: Failed to get the Amazon S3 bucket name
I have checked the credentials in IAM and have full administrator privileges. When I run eb status show green I get the following message:
InvalidClientTokenId. The security token included in the request is invalid.
Run aws configure again, and re-enter your credentials.
It's likely you're using old (disabled or deleted) access/secret keys, or you accidentally swapped the access key with the secret key.
For me is was that my system clock was off by more than 5 minutes. Updating the time fixed the issue.
Related
I was working on a E-commerce project ( for study ) and wanted to sync my webfiles from S3 to EC2.
I used this command in the Linux SSH session:
#6. download the FleetCart zip from s3 to the html directory on the ec2 instance
sudo aws s3 sync s3://deg-s3bucketwebfiles /var/www/html
Entering the command, I get the following error message:
-- > fatal error: Unable to locate credentials
Not sure, what is wrong ? I checked that there's a directory /var/www/html but somehow the files cannot be sync across to EC2.
Appreciate any guide.
Thanks
Unable to locate credentials means that the aws command is unable to locate any credentials on the EC2 instance. The credentials are used to identify you to AWS so it knows that you are entitled to access the deg-s3bucketwebfiles bucket.
Option 1: Use an IAM Role
Since you are using an Amazon EC2 instance, the correct way to provide credentials to the instance is to associate an IAM Role to the instance. The role would need permission to access S3.
Option 2: Use credentials from an IAM User
Alternatively, you can use credentials associated with your IAM User. Go to the IAM Console, select your IAM User and go to the Security Credentials tab. You will find a Create access key button.
It will provide an Access Key and a Secret Key. The Access Key starts with AKIA, while the Secret Key is a long jumble of characters.
Once you have these credentials, run this command on the EC2 instance:
aws configure
Provide the credentials when prompted.
I need to run the command aws s3 cp <filename> <bucketname> from an EC2 RHEL instance to copy a file from the instance to an S3 bucket.
When I run this command, I receive this error: An error occurred (ExpiredToken) when calling the PutObject operation: The provided token has expired
I also found that this same error occurs when trying to run many other CLI commands from the instance.
I do not want to change my IAM role because the command was previously working perfectly fine and IAM policy changes must go through an approval process. I have double checked the IAM role the instance is assuming and it still contains the correct configuration for allowing PutObject on the correct resources.
What can I do to allow AWS CLI commands to work again in my instance?
AWS API tokens are time-sensitive, and VMs in the cloud tend to suffer from clock drift.
Check that time is accurate on the RHEL instance, and use ntp servers to make sure any drift is regularly corrected.
I stored Firebase Admin SDK credential into elastic beanstalk env from amazon S3 on app's deployment according to the official AWS doc.
https://docs.aws.amazon.com/elasticbeanstalk/latest/dg/https-storingprivatekeys.html
When Firebase Admin SDK tries to access the key it raises error.
PermissionError: [Errno 13] Permission denied: '/etc/pki/tls/certs/my_cert.json'
How can I setup make it work?
You need to perform 2 steps:
.ebextensions/privatekey.config as described in your doc url. You can check the beanstalk logs (of cfn-init logs if you can SSH) to verify if the .ebextensions script is executed correctly
The beanstalk should be able to access the S3 bucket where the keys are stored.
Point 2 in more detail:
The instance profile assigned to your environment's EC2 instances must have permission to read the key object from the specified bucket. Verify that the instance profile has permission to read the object in IAM, and that the permissions on the bucket and object do not prohibit the instance profile. You can test this by SSH'n inside the EC2 which belongs to the Beanstalk environment and execute: aws s3 ls s3://your-bucket/with-key. After that you can try to download the key. This is exactly the same what your ebextensions scripts tries to do. The ebextensions script will fail if it's not allowed to.
I seem to have problems running a command to verify that my credentials are configured correctly and that I can connect to AWS as stated here:https://docs.aws.amazon.com/cli/latest/userguide/tutorial-ec2-ubuntu.html:
When running:
$ aws ec2 describe-regions --output table
I get the following output:
An error occurred (AuthFailure) when calling the DescribeRegions
operation: AWS was not able to validate the provided access
credentials
What am I missing?
After installing the AWS CLI (on a fedora machine), I ran
$ aws configure
for AWS Access Key ID and AWS Secret Access Key:
I went to AWS website and created an IAM user.
For that user, I have gone to the security credentials tab and
I have created a new Access key, which is key value pair of Access key ID,Secret access key.
I have used those values for AWS Access Key ID and AWS Secret Access Key but I keep getting the above error message.
What am I missing? Thanks in advance.
You need to pass the profile parameter. This link from AWS has more details
I was able to install CLI on windows 16 AWS instance. when I try "aws ec2 describe-instances" CLI command, I get the following error
CLI command "describe-instances" throw error "An error occurred (AuthFailure) when calling the DescribeInstances operation: AWS was not able to validate the provided access credentials"
In .aws\config file I have following content:
[default]
region = us-west-2
How can authorization fail when it took my access key id and secret access key without any issue.
Verify if your datetime is sync ok.
use: ntpdate ntp.server
bests
I deleted my two configuration files from .aws directory and re-ran "aws config"
That fixed the problem for me.
My Steps:
Go to your .aws directory under Users e.g. "c:\Users\Joe\.aws"
Two files: configure and credential. Delete both files
Rerun configure: "aws configure"
Note when you run aws configure you will need the AWS Access and Secret Key. If you don't have them you can just create another.
Steps:
Goto "My Security Credentials" Under you Account Name in AWS Console.
Expand Access Key panel.
Create New Access Key.
When you first ran aws configure, it just populated the local credentials in %UserProfile%\.aws\credentials; it didn't validate them with AWS.
(aws-cli doesn't know what rights your user has until it tries to do an operation -- all of the access control happens on AWS's end. It just tries to do what you ask, and tells you if it doesn't have access, like you saw.)
That said, if you're running the CLI from an AWS instance, you might want to consider applying a role to that instance, so you don't have to store your keys on the instance.
My Access and Security keys are correct. My server time was good. I got error while using Ap-south-1 region. After I changed my region to us-west-2, it worked without any problem.
I tried setting that too on my windows environment. didn't work and getting error above.
so I tried setting my environment
SET AWS_ACCESS_KEY_ID=YOUR_ACCESS_KEY
SET AWS_SECRET_ACCESS_KEY=***YOUR_SECRET_ACCESS_KEY*
and then tried running command like "aws ec2 describe-instance"
I tried many things. Finally, just uninstalling and installing again (not repairing) did the trick. Just make sure to save a copy of your credentials (key and key ID) to use later when calling aws configure.