icingaweb2-module-aws icon indicating copy to clipboard operation
icingaweb2-module-aws copied to clipboard

Published 20 hours ago verified publisher icon Icinga

Jobs failing when using AWS access keys

Open ninjakitteh69 opened this issue 5 years ago • 3 comments

when using configured AWS access keys instead of roles, the request is failing with an unauthorised error. This only happens when configuring an import job. The keys work successfully when pressing the check for changes button and trigger import run buttons. This is specific to configured keys only. if using role based permissions, this works successfully however i need to access machines in a different account so role based permissions is not an option.

Stacktrace ...
This Import Source failed when last checked at 2020-05-06 11:10:57: Error executing "DescribeInstances" on "https://ec2.eu-west-1.amazonaws.com"; AWS HTTP error: Client error: `POST https://ec2.eu-west-1.amazonaws.com` resulted in a `401 Unauthorized` response: <?xml version="1.0" encoding="UTF-8"?> <Response><Errors><Error><Code>AuthFailure</Code><Message>Authorization header or (truncated...) AuthFailure (client): Authorization header or parameters are not formatted correctly. - <?xml version="1.0" encoding="UTF-8"?> <Response><Errors><Error><Code>AuthFailure</Code><Message>Authorization header or parameters are not formatted correctly.</Message></Error></Errors><RequestID>b9a0e1a3-dbbc-4287-8bc2-091b2763d242</RequestID></Response>

-->

Expected Behavior

on the import run job, it should run the import and pull the new machines in

Current Behavior

on the import run job, its failing with the above error message

Steps to Reproduce (for bugs)

  1. add the aws programmatic keys to the server (user currently has readonly role for ec2 and rds assigned)
  2. create an import source (ec2 Instances, AWS key method selected, Region eu-west-1) 3.at this point test with the check for changes button that the keys are working correctly 4.create a new job ( Job type: Import, Disabled:No, Run interval:60, Job Name: import ec2, Import source: <name of ec2 Import source>, Run import: yes/no both give error)
  3. wait for job to execute to see error message

Context

I cannot import machines located on other AWS accounts as we work in a multiaccount environment and need to be able to monitor machines from each account as the machines get added

Your Environment

  • Module version (System - About): 1.0.0
  • Icinga Web 2 version and modules (System - About): 2.7.3
  • Icinga 2 version (icinga2 --version): 2.11.3-1
  • Operating System and version: CentOS Linux release 7.8.2003 (Core)
  • Webserver, PHP versions: 7.1.30

ninjakitteh69 avatar May 06 '20 08:05 ninjakitteh69

Hello,

Any update on this issue ? I have exactly same error.

Thanks

mayasd avatar Sep 17 '21 14:09 mayasd

Ok...

I think this issue appear only if you have multi-master nodes.

In source code below https://github.com/Icinga/icingaweb2-module-aws/blob/2494e4d3c4db39e674c9e547dd04d8f771322fb5/library/Aws/ProvidedHook/Director/ImportSource.php#L177 aws_access_key description say there is keys.ini file.

So, on your servers you can find this file there: /etc/icingaweb2/modules/aws/keys.ini

Copy this file on all of your master nodes. Be careful about directory and file permission when you copy file on other nodes. :+1:

mayasd avatar Sep 17 '21 14:09 mayasd

Ended up just dropping the director module completely as there were a dozen other issues i had with it that just ended up taking up more time than not using it so will leave this here for them to fix but for the most part no longer in use my side

ninjakitteh69 avatar May 13 '22 12:05 ninjakitteh69