retro-tag icon indicating copy to clipboard operation
retro-tag copied to clipboard

Published 20 hours ago verified publisher icon GorillaStack

AWS InvalidClientTokenId Errors / Error: Skipping disabled region..

Open Mike-OSPN opened this issue 3 years ago • 2 comments

Hi I'm seeing the errors Error: Skipping disabled region eu-west-2... (for any region) and /var/lib/gems/2.7.0/gems/aws-sdk-core-3.117.0/lib/seahorse/client/plugins/raise_response_errors.rb:17:in `call': The security token included in the request is invalid. (Aws::IAM::Errors::InvalidClientTokenId) (entire output below)

  1. Where/how can I enable/disable regions?
  2. Regarding InvalidClientTokenId: I'm running the script two IAM users (one in the root/Cloudtrain account, one in the Lamba/"to bes scanned" account). Both IAM users have AdministratorAccess.

my .aws/credentials file looks like this:

[account_to_be_scanned] aws_access_key_id = **to-be-scanned-account aws_secret_access_key = ***to-be-scanned-account region = eu-west-1

[root_account] aws_access_key_id = ***root-account aws_secret_access_key = ***root-account region = eu-west-1

I'm exporting these variables:

export REGION=eu-west-1
export CSV_PATH="myexport.csv"
export BUCKET=my-cloudtrail-bucket
export BUCKET_REGION=eu-west-1
export SCAN_PROFILE=account_to_be_scanned
export LAMBDA_PROFILE=root_account
export LAMBDA_REGION=eu-west-1
export ACCESS_KEY_ID="*****to-be-scanned-account***"
export SECRET_ACCESS_KEY="******to-be-scanned-account***"

then invoking the script:

./retro_tag.rb \
  --csv "$CSV_PATH" \
  --bucket $BUCKET \
  --bucket-region $BUCKET_REGION \
  --scan-profile "$SCAN_PROFILE" \
  --lambda-profile "$LAMBDA_PROFILE" \
  --lambda-region $LAMBDA_REGION \
  --scan-access-key-id=ACCESS_KEY_ID \
  --scan-secret-access-key=SECRET_ACCESS_KEY

(note: without the last two options, its not running at all)

Here the entire output:

Importing from /home/it-services/RetroTag/retro-tag/myexport.csv (1.42 MiB)...completed in 0 seconds. The AwsResource::VpnGateway.get_resources cache file is too old, scanning aws... The AwsResource::VpnConnection.get_resources cache file is too old, scanning aws... The AwsResource::VpcSubnet.get_resources cache file is too old, scanning aws... The AwsResource::VpcRouteTable.get_resources cache file is too old, scanning aws... The AwsResource::VpcPeering.get_resources cache file is too old, scanning aws... The AwsResource::VpcNetworkAcl.get_resources cache file is too old, scanning aws... The AwsResource::VpcNatGateway.get_resources cache file is too old, scanning aws... The AwsResource::VpcInternetGateway.get_resources cache file is too old, scanning aws... The AwsResource::VpcEni.get_resources cache file is too old, scanning aws... The AwsResource::Vpc.get_resources cache file is too old, scanning aws... Error: Skipping disabled region af-south-1... Error: Skipping disabled region af-south-1... Error: Skipping disabled region af-south-1... Error: Skipping disabled region af-south-1... Error: Skipping disabled region af-south-1... Error: Skipping disabled region af-south-1... Error: Skipping disabled region af-south-1... Error: Skipping disabled region af-south-1... Error: Skipping disabled region af-south-1... Error: Skipping disabled region af-south-1... Error: Skipping disabled region ap-east-1... Error: Skipping disabled region ap-east-1... Error: Skipping disabled region ap-east-1... Error: Skipping disabled region ap-east-1... Error: Skipping disabled region ap-east-1... Error: Skipping disabled region ap-east-1... Error: Skipping disabled region ap-east-1... Error: Skipping disabled region ap-east-1... Error: Skipping disabled region ap-east-1... Error: Skipping disabled region ap-east-1... Error: Skipping disabled region ap-northeast-1... Error: Skipping disabled region ap-northeast-1... Error: Skipping disabled region ap-northeast-1... Error: Skipping disabled region ap-northeast-1... Error: Skipping disabled region ap-northeast-1... Error: Skipping disabled region ap-northeast-1... Error: Skipping disabled region ap-northeast-1... Error: Skipping disabled region ap-northeast-1... Error: Skipping disabled region ap-northeast-1... Error: Skipping disabled region ap-northeast-1... Error: Skipping disabled region ap-northeast-2... Error: Skipping disabled region ap-northeast-2... Error: Skipping disabled region ap-northeast-2... Error: Skipping disabled region ap-northeast-2... Error: Skipping disabled region ap-northeast-2... Error: Skipping disabled region ap-northeast-2... Error: Skipping disabled region ap-northeast-2... Error: Skipping disabled region ap-northeast-2... Error: Skipping disabled region ap-northeast-2... Error: Skipping disabled region ap-northeast-2... Error: Skipping disabled region ap-northeast-3... Error: Skipping disabled region ap-northeast-3... Error: Skipping disabled region ap-northeast-3... Error: Skipping disabled region ap-northeast-3... Error: Skipping disabled region ap-northeast-3... Error: Skipping disabled region ap-northeast-3... Error: Skipping disabled region ap-northeast-3... Error: Skipping disabled region ap-northeast-3... Error: Skipping disabled region ap-northeast-3... Error: Skipping disabled region ap-northeast-3... Error: Skipping disabled region ap-south-1... Error: Skipping disabled region ap-south-1... Error: Skipping disabled region ap-south-1... Error: Skipping disabled region ap-south-1... Error: Skipping disabled region ap-south-1... Error: Skipping disabled region ap-south-1... Error: Skipping disabled region ap-south-1... Error: Skipping disabled region ap-south-1... Error: Skipping disabled region ap-south-1... Error: Skipping disabled region ap-south-1... Error: Skipping disabled region ap-southeast-1... Error: Skipping disabled region ap-southeast-1... Error: Skipping disabled region ap-southeast-1... Error: Skipping disabled region ap-southeast-1... Error: Skipping disabled region ap-southeast-1... Error: Skipping disabled region ap-southeast-1... Error: Skipping disabled region ap-southeast-1... Error: Skipping disabled region ap-southeast-1... Error: Skipping disabled region ap-southeast-1... Error: Skipping disabled region ap-southeast-1... Error: Skipping disabled region ap-southeast-2... Error: Skipping disabled region ap-southeast-2... Error: Skipping disabled region ap-southeast-2... Error: Skipping disabled region ap-southeast-2... Error: Skipping disabled region ap-southeast-2... Error: Skipping disabled region ap-southeast-2... Error: Skipping disabled region ap-southeast-2... Error: Skipping disabled region ap-southeast-2... Error: Skipping disabled region ap-southeast-2... Error: Skipping disabled region ap-southeast-2... Error: Skipping disabled region ca-central-1... Error: Skipping disabled region ca-central-1... Error: Skipping disabled region ca-central-1... Error: Skipping disabled region ca-central-1... Error: Skipping disabled region ca-central-1... Error: Skipping disabled region ca-central-1... Error: Skipping disabled region ca-central-1... Error: Skipping disabled region ca-central-1... Error: Skipping disabled region ca-central-1... Error: Skipping disabled region ca-central-1... Error: Skipping disabled region eu-central-1... Error: Skipping disabled region eu-central-1... Error: Skipping disabled region eu-central-1... Error: Skipping disabled region eu-central-1... Error: Skipping disabled region eu-central-1... Error: Skipping disabled region eu-central-1... Error: Skipping disabled region eu-central-1... Error: Skipping disabled region eu-central-1... Error: Skipping disabled region eu-central-1... Error: Skipping disabled region eu-central-1... Error: Skipping disabled region eu-north-1... Error: Skipping disabled region eu-north-1... Error: Skipping disabled region eu-north-1... Error: Skipping disabled region eu-north-1... Error: Skipping disabled region eu-north-1... Error: Skipping disabled region eu-north-1... Error: Skipping disabled region eu-north-1... Error: Skipping disabled region eu-north-1... Error: Skipping disabled region eu-north-1... Error: Skipping disabled region eu-north-1... Error: Skipping disabled region eu-south-1... Error: Skipping disabled region eu-south-1... Error: Skipping disabled region eu-south-1... Error: Skipping disabled region eu-south-1... Error: Skipping disabled region eu-south-1... Error: Skipping disabled region eu-south-1... Error: Skipping disabled region eu-south-1... Error: Skipping disabled region eu-south-1... Error: Skipping disabled region eu-south-1... Error: Skipping disabled region eu-south-1... Error: Skipping disabled region eu-west-1... Error: Skipping disabled region eu-west-1... Error: Skipping disabled region eu-west-1... Error: Skipping disabled region eu-west-1... Error: Skipping disabled region eu-west-1... Error: Skipping disabled region eu-west-1... Error: Skipping disabled region eu-west-1... Error: Skipping disabled region eu-west-1... Error: Skipping disabled region eu-west-1... Error: Skipping disabled region eu-west-1... Error: Skipping disabled region eu-west-2... Error: Skipping disabled region eu-west-2... Error: Skipping disabled region eu-west-2... Error: Skipping disabled region eu-west-2... Error: Skipping disabled region eu-west-2... Error: Skipping disabled region eu-west-2... Error: Skipping disabled region eu-west-2... Error: Skipping disabled region eu-west-2... Error: Skipping disabled region eu-west-2... Error: Skipping disabled region eu-west-2... Error: Skipping disabled region eu-west-3... Error: Skipping disabled region eu-west-3... Error: Skipping disabled region eu-west-3... Error: Skipping disabled region eu-west-3... Error: Skipping disabled region eu-west-3... Error: Skipping disabled region eu-west-3... Error: Skipping disabled region eu-west-3... Error: Skipping disabled region eu-west-3... Error: Skipping disabled region eu-west-3... Error: Skipping disabled region eu-west-3... Error: Skipping disabled region me-south-1... Error: Skipping disabled region me-south-1... Error: Skipping disabled region me-south-1... Error: Skipping disabled region me-south-1... Error: Skipping disabled region me-south-1... Error: Skipping disabled region me-south-1... Error: Skipping disabled region me-south-1... Error: Skipping disabled region me-south-1... Error: Skipping disabled region me-south-1... Error: Skipping disabled region me-south-1... Error: Skipping disabled region sa-east-1... Error: Skipping disabled region sa-east-1... Error: Skipping disabled region sa-east-1... Error: Skipping disabled region sa-east-1... Error: Skipping disabled region sa-east-1... Error: Skipping disabled region sa-east-1... Error: Skipping disabled region sa-east-1... Error: Skipping disabled region sa-east-1... Error: Skipping disabled region sa-east-1... Error: Skipping disabled region sa-east-1... Error: Skipping disabled region us-east-1... Error: Skipping disabled region us-east-1... Error: Skipping disabled region us-east-1... Error: Skipping disabled region us-east-1... Error: Skipping disabled region us-east-1... Error: Skipping disabled region us-east-1... Error: Skipping disabled region us-east-1... Error: Skipping disabled region us-east-1... Error: Skipping disabled region us-east-1... Error: Skipping disabled region us-east-1... Error: Skipping disabled region us-east-2... Error: Skipping disabled region us-east-2... Error: Skipping disabled region us-east-2... Error: Skipping disabled region us-east-2... Error: Skipping disabled region us-east-2... Error: Skipping disabled region us-east-2... Error: Skipping disabled region us-east-2... Error: Skipping disabled region us-east-2... Error: Skipping disabled region us-east-2... Error: Skipping disabled region us-east-2... Error: Skipping disabled region us-west-1... Error: Skipping disabled region us-west-1... Error: Skipping disabled region us-west-1... Error: Skipping disabled region us-west-1... Error: Skipping disabled region us-west-1... Error: Skipping disabled region us-west-1... Error: Skipping disabled region us-west-1... Error: Skipping disabled region us-west-1... Error: Skipping disabled region us-west-1... Error: Skipping disabled region us-west-1... Error: Skipping disabled region us-west-2... Total AwsResource::VpcSubnet.get_resources: 0 The AwsResource::SecurityGroup.get_resources cache file is too old, scanning aws... Error: Skipping disabled region us-west-2... Total AwsResource::VpcInternetGateway.get_resources: 0 The AwsResource::S3Bucket.get_resources cache file is too old, scanning aws... Error: Skipping disabled region us-west-2... Total AwsResource::VpnGateway.get_resources: 0 Error: Skipping disabled region us-west-2... Total AwsResource::VpcRouteTable.get_resources: 0 Error: Skipping disabled region us-west-2... Total AwsResource::VpnConnection.get_resources: 0 The AwsResource::LambdaFunction.get_resources cache file is too old, scanning aws... The AwsResource::OpsWorks.get_resources cache file is too old, scanning aws... Error: Skipping disabled region us-west-2... Total AwsResource::VpcEni.get_resources: 0 The AwsResource::IamRole.get_resources cache file is too old, scanning aws... The AwsResource::Rds.get_resources cache file is too old, scanning aws... Error: Skipping disabled region us-west-2... Total AwsResource::VpcNetworkAcl.get_resources: 0 The AwsResource::IamUser.get_resources cache file is too old, scanning aws... Error: Skipping disabled region us-west-2... Total AwsResource::VpcNatGateway.get_resources: 0 Error: Skipping disabled region us-west-2... Total AwsResource::Vpc.get_resources: 0 The AwsResource::ElasticLoadBalancingV2.get_resources cache file is too old, scanning aws... The AwsResource::ElasticMapReduce.get_resources cache file is too old, scanning aws... Error: Skipping disabled region us-west-2... Total AwsResource::VpcPeering.get_resources: 0 The AwsResource::ElasticLoadBalancing.get_resources cache file is too old, scanning aws... Error: Skipping disabled region us-east-1... Total AwsResource::S3Bucket.get_resources: 0 The AwsResource::Eip.get_resources cache file is too old, scanning aws... #<Thread:0x000055ea66c9c358 ./retro_tag.rb:162 run> terminated with exception (report_on_exception is true): Traceback (most recent call last): 13: from ./retro_tag.rb:168:in `block (2 levels) in

' 12: from /home/it-services/RetroTag/retro-tag/auto_tag/aws_mixin.rb:19:in `write_cache_file' 11: from /home/it-services/RetroTag/retro-tag/aws_resource/default.rb:55:in `get_resources' 10: from /home/it-services/RetroTag/retro-tag/aws_resource/default.rb:55:in `each' 9: from /home/it-services/RetroTag/retro-tag/aws_resource/default.rb:61:in `block in get_resources' 8: from /var/lib/gems/2.7.0/gems/aws-sdk-iam-1.56.0/lib/aws-sdk-iam/client.rb:8226:in `list_roles' 7: from /var/lib/gems/2.7.0/gems/aws-sdk-core-3.117.0/lib/seahorse/client/request.rb:72:in `send_request' 6: from /var/lib/gems/2.7.0/gems/aws-sdk-core-3.117.0/lib/seahorse/client/plugins/response_target.rb:24:in `call' 5: from /var/lib/gems/2.7.0/gems/aws-sdk-core-3.117.0/lib/aws-sdk-core/plugins/response_paging.rb:12:in `call' 4: from /var/lib/gems/2.7.0/gems/aws-sdk-core-3.117.0/lib/seahorse/client/plugins/request_callback.rb:71:in `call' 3: from /var/lib/gems/2.7.0/gems/aws-sdk-core-3.117.0/lib/aws-sdk-core/plugins/param_converter.rb:26:in `call' 2: from /var/lib/gems/2.7.0/gems/aws-sdk-core-3.117.0/lib/aws-sdk-core/plugins/idempotency_token.rb:19:in `call' 1: from /var/lib/gems/2.7.0/gems/aws-sdk-core-3.117.0/lib/aws-sdk-core/plugins/jsonvalue_converter.rb:22:in `call' /var/lib/gems/2.7.0/gems/aws-sdk-core-3.117.0/lib/seahorse/client/plugins/raise_response_errors.rb:17:in `call': The security token included in the request is invalid. (Aws::IAM::Errors::InvalidClientTokenId) #<Thread:0x000055ea66c9c038 ./retro_tag.rb:162 run> terminated with exception (report_on_exception is true): Traceback (most recent call last): 13: from ./retro_tag.rb:168:in `block (2 levels) in
' 12: from /home/it-services/RetroTag/retro-tag/auto_tag/aws_mixin.rb:19:in `write_cache_file' 11: from /home/it-services/RetroTag/retro-tag/aws_resource/default.rb:55:in `get_resources' 10: from /home/it-services/RetroTag/retro-tag/aws_resource/default.rb:55:in `each' 9: from /home/it-services/RetroTag/retro-tag/aws_resource/default.rb:61:in `block in get_resources' 8: from /var/lib/gems/2.7.0/gems/aws-sdk-iam-1.56.0/lib/aws-sdk-iam/client.rb:9044:in `list_users' 7: from /var/lib/gems/2.7.0/gems/aws-sdk-core-3.117.0/lib/seahorse/client/request.rb:72:in `send_request' 6: from /var/lib/gems/2.7.0/gems/aws-sdk-core-3.117.0/lib/seahorse/client/plugins/response_target.rb:24:in `call' 5: from /var/lib/gems/2.7.0/gems/aws-sdk-core-3.117.0/lib/aws-sdk-core/plugins/response_paging.rb:12:in `call' 4: from /var/lib/gems/2.7.0/gems/aws-sdk-core-3.117.0/lib/seahorse/client/plugins/request_callback.rb:71:in `call' 3: from /var/lib/gems/2.7.0/gems/aws-sdk-core-3.117.0/lib/aws-sdk-core/plugins/param_converter.rb:26:in `call' 2: from /var/lib/gems/2.7.0/gems/aws-sdk-core-3.117.0/lib/aws-sdk-core/plugins/idempotency_token.rb:19:in `call' 1: from /var/lib/gems/2.7.0/gems/aws-sdk-core-3.117.0/lib/aws-sdk-core/plugins/jsonvalue_converter.rb:22:in `call' /var/lib/gems/2.7.0/gems/aws-sdk-core-3.117.0/lib/seahorse/client/plugins/raise_response_errors.rb:17:in `call': The security token included in the request is invalid. (Aws::IAM::Errors::InvalidClientTokenId) Traceback (most recent call last): 13: from ./retro_tag.rb:168:in `block (2 levels) in
' 12: from /home/it-services/RetroTag/retro-tag/auto_tag/aws_mixin.rb:19:in `write_cache_file' 11: from /home/it-services/RetroTag/retro-tag/aws_resource/default.rb:55:in `get_resources' 10: from /home/it-services/RetroTag/retro-tag/aws_resource/default.rb:55:in `each' 9: from /home/it-services/RetroTag/retro-tag/aws_resource/default.rb:61:in `block in get_resources' 8: from /var/lib/gems/2.7.0/gems/aws-sdk-iam-1.56.0/lib/aws-sdk-iam/client.rb:8226:in `list_roles' 7: from /var/lib/gems/2.7.0/gems/aws-sdk-core-3.117.0/lib/seahorse/client/request.rb:72:in `send_request' 6: from /var/lib/gems/2.7.0/gems/aws-sdk-core-3.117.0/lib/seahorse/client/plugins/response_target.rb:24:in `call' 5: from /var/lib/gems/2.7.0/gems/aws-sdk-core-3.117.0/lib/aws-sdk-core/plugins/response_paging.rb:12:in `call' 4: from /var/lib/gems/2.7.0/gems/aws-sdk-core-3.117.0/lib/seahorse/client/plugins/request_callback.rb:71:in `call' 3: from /var/lib/gems/2.7.0/gems/aws-sdk-core-3.117.0/lib/aws-sdk-core/plugins/param_converter.rb:26:in `call' 2: from /var/lib/gems/2.7.0/gems/aws-sdk-core-3.117.0/lib/aws-sdk-core/plugins/idempotency_token.rb:19:in `call' 1: from /var/lib/gems/2.7.0/gems/aws-sdk-core-3.117.0/lib/aws-sdk-core/plugins/jsonvalue_converter.rb:22:in `call' /var/lib/gems/2.7.0/gems/aws-sdk-core-3.117.0/lib/seahorse/client/plugins/raise_response_errors.rb:17:in `call': The security token included in the request is invalid. (Aws::IAM::Errors::InvalidClientTokenId)

Mike-OSPN avatar Aug 04 '21 11:08 Mike-OSPN

Please read the AWS documentation on disabling regions, this is not related to this application but the AWS environment itself and is expected. https://docs.aws.amazon.com/general/latest/gr/rande-manage.html

Most regions cannot be disabled, but some are disabled by default which is why you're seeing here. Other than that, make sure you gave your scan-profile IAM user the ReadOnly AWS managed policy.

ecout avatar Oct 11 '21 21:10 ecout

It looks like your keys just weren't working, you shouldn't need the scan_access_keys if you are setting the scan_profile.

I'm not sure what you mean by it won't run without those settings...please send the failure output if that is the case so we can troubleshoot.

rayjanoka avatar Feb 03 '22 05:02 rayjanoka