am trying to integrate terraform with aws, aws cli configured and I do have admin, completeEC2 access, configured terraform/aws plugins.
I can create a ec2/vpc from console or from aws cli but when am trying to invoke through terraform, am getting authorization error like below
I tried decoding the error message and adding debug log but no luck.Any help would be great! thanks
action=DescribeAccountAttributes&AttributeName.1=supported-platforms&Version=2016-11-15
-----------------------------------------------------: timestamp=2022-05-05T17:49:28.788-0500
2022-05-05T17:49:29.160-0500 [DEBUG] provider.terraform-provider-aws_v4.12.1_x5: [aws-sdk-go] DEBUG: Response ec2/DescribeAccountAttributes Details:
---[ RESPONSE ]--------------------------------------
HTTP/1.1 403 Forbidden
Transfer-Encoding: chunked
022-05-05T17:49:29.160-0500 [DEBUG] provider.terraform-provider-aws_v4.12.1_x5: [aws-sdk-go] <?xml version="1.0" encoding="UTF-8"?>
<Response><Errors><Error><Code>UnauthorizedOperation</Code><Message>You are not authorized to perform this operation.</Message></Error></Errors><RequestID>e****</RequestID></Response>: timestamp=2022-05-05T17:49:29.160-0500
2022-05-05T17:49:29.160-0500 [DEBUG] provider.terraform-provider-aws_v4.12.1_x5: [aws-sdk-go] DEBUG: Validate Response ec2/DescribeAccountAttributes failed, attempt 0/25, error UnauthorizedOperation: You are not authorized to perform this operation.
status code: 403, request id: ea***: timestamp=2022-05-05T17:49:29.160-0500
2022-05-05T17:49:29.160-0500 [WARN] provider.terraform-provider-aws_v4.12.1_x5: Unable to get supported EC2 platforms: UnauthorizedOperation: You are not authorized to perform this operation.
You have to create a programmatic access user for the terraform
Among others (e.g. scoped-ec2) need to add the following statement to your user IAM policy:
{
"Sid": "AllowDescribeEC2Params",
"Action": [ "ec2:DescribeAccountAttributes" ],
"Effect": "Allow",
"Resource": [ "*" ]
}
Related
I have 2 gcp projects pool-infra pool-dev. I use a github action to run a mvn command the configuration look like this...
- name: Authenticate with pure-infra project
uses: 'google-github-actions/auth#v0.8.1'
with:
service_account: my#pool-infra.iam.gserviceaccount.com
workload_identity_provider: projects/<pool-infra-id>/locations/global/workloadIdentityPools/....
token_format: 'access_token'
project_id: pure-platform-dev
- name: 'Set up Cloud SDK'
uses: 'google-github-actions/setup-gcloud#v1'
with:
project_id: pool-app
- name: Run Package
working-directory: my-service
run: |
gcloud config set project pool-app
gcloud config get project
mvn clean package jacoco:report
But I see an error that suggests the project ID is incorrect...
"errors": [
{
"domain": "usageLimits",
"message": "Cloud SQL Admin API has not been used in project <pool-infra-num> before or it is disabled. Enable it by visiting https://console.developers.google.com/apis/api/sqladmin.googleapis.com/overview?project=<pool-infra-num> then retry. If you enabled this API recently, wait a few minutes for the action to propagate to our systems and retry.",
"reason": "accessNotConfigured",
"extendedHelp": "https://console.developers.google.com"
}
],
I would expect those project nums to be for pool-app not infra. What am I missing? How do I properly set the project for the mvn project?
This is coming from the JDBC connection pool when it tries to connect.
I am trying to follow the recommendation to upgrade the DHF using gradle but I am running through an issue that I cannot het my head around.
The build succeeds but the redeployment fails
Any idea on how to fix this ?
note that the login info is provided properly in the gradle.properties
> Task :hubDeploySecurity FAILED
Task ':hubDeploySecurity' is not up-to-date because:
Task has not declared any outputs despite executing actions.
Deploying app DHF with config dirs: [/src/main/hub-internal-config, /src/main/ml-config]
Executing command [com.marklogic.appdeployer.command.security.DeployPrivilegesCommand] with sort order [5]
Will read and merge resource files in each config path before saving any resources
Processing files in directory: /src/main/hub-internal-config/security/privileges
Checking to see if Configuration Management API is available at: /manage/v3
Sending JSON POST request as user 'tkadmin' (who should have the 'manage-admin' and 'security' roles) to path: /manage/v3
Error occurred while sending POST request to /manage/v3; logging request body to assist with debugging: {}
Processing file: /src/main/hub-internal-config/security/privileges/dhf-internal-data-hub.json
Processing file: /src/main/hub-internal-config/security/privileges/dhf-internal-entities.json
Processing file: /src/main/hub-internal-config/security/privileges/dhf-internal-mappings.json
Processing file: /src/main/hub-internal-config/security/privileges/dhf-internal-trace-ui.json
Processing files in directory: /src/main/ml-config/security/privileges
Checking to see if Configuration Management API is available at: /manage/v3
Sending JSON POST request as user 'tkadmin' (who should have the 'manage-admin' and 'security' roles) to path: /manage/v3
Error occurred while sending POST request to /manage/v3; logging request body to assist with debugging: {}
Merging payloads that reference the same resource
Checking to see if Configuration Management API is available at: /manage/v3
Sending JSON POST request as user 'tkadmin' (who should have the 'manage-admin' and 'security' roles) to path: /manage/v3
Error occurred while sending POST request to /manage/v3; logging request body to assist with debugging: {}
Checking for existence of resource: dhf-internal-data-hub
Sending XML GET request as user 'tkadmin' (who should have the 'manage-admin' and 'security' roles) to path: /manage/v2/privileges
Logging HTTP response body to assist with debugging: {"errorResponse": {"statusCode":401,
"status":"Unauthorized",
"message":"401 Unauthorized"
}
}
:hubDeploySecurity (Thread[Execution worker for ':',5,main]) completed. Took 0.01 secs.
FAILURE: Build failed with an exception.
* What went wrong:
Execution failed for task ':hubDeploySecurity'.
> 401 Unauthorized: [{"errorResponse": {"statusCode":401,
"status":"Unauthorized",
"message":"401 Unauthorized"
}
}]
Assuming you have followed the DHF upgrade matrix:
https://docs.marklogic.com/datahub/5.2/upgrade.html
You probably ran the Gradle with an incorrect Admin interface & Security user. As such, the hubUpdate REST API requests will fail.
Try below see if it works:
Step 2
gradle hubUpdate -i -PmlUsername=admin -PmlPassword={admin-password} -Penvironment={env-name}
Step 4
gradle mlRedeploy -i -PmlUsername=admin -PmlPassword={admin-password} -Penvironment={env-name}
When I click "Set Me Up" in Artifactory is generates a gradle.properties file something like this:
artifactory_user=my_artifactory_user
artifactory_password=WAklvc9LXWDsVcoVILbKyebkQG5uBxos6rIrmi8HjMTB3xicLJbxstmEQwRwIoGN6pBnK3T91I
artifactory_contextUrl=https://artifactory.company.com/artifactory
However, when I run ./gradlew artifactoryDeploy I get this error:
> Task :artifactoryDeploy FAILED
Could not build the build-info object.
org.jfrog.build.util.VersionException: Error occurred while requesting version information: Response message: {
"errors" : [ {
"status" : 401,
"message" : "Bad credentials"
} ]
}
...
stacktrace
...
FAILURE: Build failed with an exception.
* What went wrong:
Execution failed for task ':artifactoryDeploy'.
> java.io.IOException: Could not publish build-info: Error occurred while requesting version information: Response message: {
"errors" : [ {
"status" : 401,
"message" : "Bad credentials"
} ]
}
I'm confused because Artifactory is generating this encrypted password but the docs use an example with plain text.
https://www.jfrog.com/confluence/display/JFROG/Working+With+Gradle#WorkingwithGradle-ConfiguringGradle
Is the artifactory_password supposed to be encrypted like this or is it supposed to be plain text?
The artifactory_password parameter can be used for:
clear text passwords
encrypted passwords
API key
If you are getting a Bad credentials error, one of the possible reasons is using an encrypted password when Artifactory is configured with Password Encryption Policy set to Unsupported (not respecting encrypted passwords).
A few things you can do to debug this issue:
Verify the Password Encryption Policy is set to Supported or Required (requires admin) in Administration -> Security -> Settings
Test the user and password by trying to call the REST API using a client such a cURL. Make sure you use an API method which requires and authenticated user
I've spent hours and I found no solution.
I got the latest Debian marketplace image running and try to use the "aws" tools from command line.
I created an IAM user and gave the user every single permission available, including poweruser, ec2 full access, administrator.
aws ec2 describe-addresses
A client error (AuthFailure) occurred when calling the DescribeAddresses operation: AWS was not able to validate the provided access credentials
However I can use all non EC2 parts.
I can do any "aws iam" command, no issues at all.
I could create a user and give it any accessrights but I may not list instances!
This is not an authentication error ..
Date is NTP synced, however as "aws iam" commands all work perfectly it's not an API issue.
I am at the end of my wits. There i no permission left I could give that user.
I tried different access keys, same situation.
I tried waiting for an hour, no luck.
Here the EC2 Full access role the user has:
{
"Version": "2012-10-17",
"Statement": [
{
"Action": "ec2:*",
"Effect": "Allow",
"Resource": "*"
},
{
"Effect": "Allow",
"Action": "elasticloadbalancing:*",
"Resource": "*"
},
{
"Effect": "Allow",
"Action": "cloudwatch:*",
"Resource": "*"
},
{
"Effect": "Allow",
"Action": "autoscaling:*",
"Resource": "*"
}
]
}
Manager using the web console of AWS.
I think you were hitting your EIP limit. I was updating a Cloudformation stack yesterday and was getting the error..
AccessDenied. User doesn't have permission to call ec2:DescribeAddresses
..even though I was running with full admin rights. Turned out the error was a red-herring and the problem was I was hitting my EIP limit. Requested an EIP limit increase and that fixed it.
I'm trying to create the packer build seen here: https://www.packer.io/intro/getting-started/build-image.html
PS C:\dev\tutorials\packer> packer build -var 'aws_access_key=AKI---------' -var 'aws_secret_key==+---------------------------------------' example.json
amazon-ebs output will be in this color.
==> amazon-ebs: Prevalidating AMI Name...
==> amazon-ebs: Error querying AMI: AuthFailure: AWS was not able to validate the provided access credentials
==> amazon-ebs: status code: 401, request id: []
Build 'amazon-ebs' errored: Error querying AMI: AuthFailure: AWS was not able to validate the provided access credentials
status code: 401, request id: []
==> Some builds didn't complete successfully and had errors:
--> amazon-ebs: Error querying AMI: AuthFailure: AWS was not able to validate the provided access credentials
status code: 401, request id: []
==> Builds finished but no artifacts were created.
I've tried giving my user the AmazonEC2FullAccess policy in AWS.
Is my command correct?
I am on windows 8, using powershell.
Thank you for your help #MathiasR.Jessen.
The credentials come in a credentials.csv file. I opened this file with Excel, clicked column C2 and copied the value there. This is an issue because excel prepends an equals sign at the beginning of the value box :/