signal-setup-guide icon indicating copy to clipboard operation
signal-setup-guide copied to clipboard

Published 20 hours ago verified publisher icon madeindra

AWS config error

Open ankushbhardwxj opened this issue 3 years ago • 9 comments

Server Version : (Server v5.xx)

Client Version : (Android vX.XX.XX / iOS vX.XX.XX / Desktop vX.XX.XX)

Dependencies : (Twilio / AWS / Nginx / Apache / Self-Signed SSL Certificate / Docker / On Premise Redis / On Premise Postgresql /Turn)

Describe what are you trying to achieve

I'm trying to setup AWS appconfig and AWS Dynamo DB.

Describe the issue that you face

I've followed the latest guide published yesterday. I am stuck at setting up AWS appconfig. I have read the documentation, and have created an application, environment and configuration. I got an error which I've given in log. However, I'm not experienced in AWS services and am having trouble understanding how to setup the EC2 IAM role and get the required permissions, which might be a reason for this error.

Describe the step to reproduce the errors

Logs

WARN  [2021-05-20 14:00:12,260] com.amazonaws.util.EC2MetadataUtils: Unable to retrieve the requested metadata (/latest/dynamic/instance-identity/document). Failed to connect to service endpoint:
! java.net.SocketTimeoutException: connect timed out
! at java.base/java.net.PlainSocketImpl.socketConnect(Native Method)
! at java.base/java.net.AbstractPlainSocketImpl.doConnect(AbstractPlainSocketImpl.java:399)
! at java.base/java.net.AbstractPlainSocketImpl.connectToAddress(AbstractPlainSocketImpl.java:242)
! at java.base/java.net.AbstractPlainSocketImpl.connect(AbstractPlainSocketImpl.java:224)
! at java.base/java.net.Socket.connect(Socket.java:609)
! at java.base/sun.net.NetworkClient.doConnect(NetworkClient.java:177)
! at java.base/sun.net.www.http.HttpClient.openServer(HttpClient.java:474)
! at java.base/sun.net.www.http.HttpClient.openServer(HttpClient.java:569)
! at java.base/sun.net.www.http.HttpClient.<init>(HttpClient.java:242)
! at java.base/sun.net.www.http.HttpClient.New(HttpClient.java:341)
! at java.base/sun.net.www.http.HttpClient.New(HttpClient.java:362)
! at java.base/sun.net.www.protocol.http.HttpURLConnection.getNewHttpClient(HttpURLConnection.java:1253)
! at java.base/sun.net.www.protocol.http.HttpURLConnection.plainConnect0(HttpURLConnection.java:1232)
! at java.base/sun.net.www.protocol.http.HttpURLConnection.plainConnect(HttpURLConnection.java:1081)
! at java.base/sun.net.www.protocol.http.HttpURLConnection.connect(HttpURLConnection.java:1015)
! at com.amazonaws.internal.ConnectionUtils.connectToEndpoint(ConnectionUtils.java:52)
! at com.amazonaws.internal.EC2ResourceFetcher.doReadResource(EC2ResourceFetcher.java:80)
! ... 22 common frames omitted
! Causing: com.amazonaws.SdkClientException: Failed to connect to service endpoint:
! at com.amazonaws.internal.EC2ResourceFetcher.doReadResource(EC2ResourceFetcher.java:100)
! at com.amazonaws.internal.EC2ResourceFetcher.doReadResource(EC2ResourceFetcher.java:70)
! at com.amazonaws.internal.InstanceMetadataServiceResourceFetcher.readResource(InstanceMetadataServiceResourceFetcher.java:75)
! at com.amazonaws.internal.EC2ResourceFetcher.readResource(EC2ResourceFetcher.java:66)
! at com.amazonaws.util.EC2MetadataUtils.getItems(EC2MetadataUtils.java:403)
! at com.amazonaws.util.EC2MetadataUtils.getData(EC2MetadataUtils.java:372)
! at com.amazonaws.util.EC2MetadataUtils.getData(EC2MetadataUtils.java:368)
! at com.amazonaws.util.EC2MetadataUtils.getEC2InstanceRegion(EC2MetadataUtils.java:283)
! at com.amazonaws.regions.InstanceMetadataRegionProvider.tryDetectRegion(InstanceMetadataRegionProvider.java:59)
! at com.amazonaws.regions.InstanceMetadataRegionProvider.getRegion(InstanceMetadataRegionProvider.java:50)
! at com.amazonaws.regions.AwsRegionProviderChain.getRegion(AwsRegionProviderChain.java:46)
! at com.amazonaws.client.builder.AwsClientBuilder.determineRegionFromRegionProvider(AwsClientBuilder.java:475)
! at com.amazonaws.client.builder.AwsClientBuilder.setRegion(AwsClientBuilder.java:458)
! at com.amazonaws.client.builder.AwsClientBuilder.configureMutableProperties(AwsClientBuilder.java:424)
! at com.amazonaws.client.builder.AwsSyncClientBuilder.build(AwsSyncClientBuilder.java:46)
! at org.whispersystems.textsecuregcm.storage.DynamicConfigurationManager.<init>(DynamicConfigurationManager.java:49)
! at org.whispersystems.textsecuregcm.WhisperServerService.run(WhisperServerService.java:407)
! at org.whispersystems.textsecuregcm.WhisperServerService.run(WhisperServerService.java:206)
! at io.dropwizard.cli.EnvironmentCommand.run(EnvironmentCommand.java:59)
! at io.dropwizard.cli.ConfiguredCommand.run(ConfiguredCommand.java:98)
! at io.dropwizard.cli.Cli.run(Cli.java:78)
! at io.dropwizard.Application.run(Application.java:94)
! at org.whispersystems.textsecuregcm.WhisperServerService.main(WhisperServerService.java:641)
com.amazonaws.SdkClientException: Unable to find a region via the region provider chain. Must provide an explicit region in the builder or setup environment to supply a region.
        at com.amazonaws.client.builder.AwsClientBuilder.setRegion(AwsClientBuilder.java:462)
        at com.amazonaws.client.builder.AwsClientBuilder.configureMutableProperties(AwsClientBuilder.java:424)
        at com.amazonaws.client.builder.AwsSyncClientBuilder.build(AwsSyncClientBuilder.java:46)
        at org.whispersystems.textsecuregcm.storage.DynamicConfigurationManager.<init>(DynamicConfigurationManager.java:49)
        at org.whispersystems.textsecuregcm.WhisperServerService.run(WhisperServerService.java:407)
        at org.whispersystems.textsecuregcm.WhisperServerService.run(WhisperServerService.java:206)
        at io.dropwizard.cli.EnvironmentCommand.run(EnvironmentCommand.java:59)
        at io.dropwizard.cli.ConfiguredCommand.run(ConfiguredCommand.java:98)
        at io.dropwizard.cli.Cli.run(Cli.java:78)
        at io.dropwizard.Application.run(Application.java:94)
        at org.whispersystems.textsecuregcm.WhisperServerService.main(WhisperServerService.java:641)

ankushbhardwxj avatar May 20 '21 14:05 ankushbhardwxj

@jacob-pro could you help me here ?

ankushbhardwxj avatar May 20 '21 14:05 ankushbhardwxj

I am facing the same issue, trying to solve it. I appreciate it if anyone can help with this.

mohit-cachy avatar May 20 '21 14:05 mohit-cachy

Just to check - have you assigned an IAM role to the instance? (In the EC2 instances dashboard -> Select the instance -> click actions -> security -> modify IAM role ) Create a new role if you don't have one already

In the IAM dashboard go to roles Select the role associated with the instance, and attach a permissions policy, that has access to the AppConfig

For testing (don't do this in a production environment!) you could just give it the AdministratorAccess which will allow the EC2 instance access to basically everything in your AWS account.

For actual use go through the Create policy menu and create a policy that has access to AppConfig, but restricted to the environment / application name you are using for Signal

jacob-pro avatar May 20 '21 15:05 jacob-pro

I have cross-checked permission was already set to AdministratorAccess on my AWS Account (For Development Purpose Only), but AWS credentials were not set correctly on the local machine. I have followed this link https://docs.aws.amazon.com/sdk-for-java/v1/developer-guide/setup-credentials.html to set up correctly with AWS Region but still have the following error.

INFO [2021-05-20 18:01:59,435] com.amazonaws.internal.DefaultServiceEndpointBuilder: {appconfig, ap-south-1} was not found in region metadata, trying to construct an endpoint using the standard pattern for this region: 'appconfig.ap-south-1.amazonaws.com'. WARN [2021-05-20 18:02:01,474] org.whispersystems.textsecuregcm.storage.DynamicConfigurationManager: Error retrieving initial dynamic configuration ! java.net.SocketTimeoutException: connect timed out ! at java.base/java.net.PlainSocketImpl.socketConnect(Native Method) ! at java.base/java.net.AbstractPlainSocketImpl.doConnect(AbstractPlainSocketImpl.java:399) ! at java.base/java.net.AbstractPlainSocketImpl.connectToAddress(AbstractPlainSocketImpl.java:242) ! at java.base/java.net.AbstractPlainSocketImpl.connect(AbstractPlainSocketImpl.java:224) ! at java.base/java.net.Socket.connect(Socket.java:609) ! at java.base/sun.net.NetworkClient.doConnect(NetworkClient.java:177) ! at java.base/sun.net.www.http.HttpClient.openServer(HttpClient.java:474) ! at java.base/sun.net.www.http.HttpClient.openServer(HttpClient.java:569) ! at java.base/sun.net.www.http.HttpClient.(HttpClient.java:242) ! at java.base/sun.net.www.http.HttpClient.New(HttpClient.java:341) ! at java.base/sun.net.www.http.HttpClient.New(HttpClient.java:362) ! at java.base/sun.net.www.protocol.http.HttpURLConnection.getNewHttpClient(HttpURLConnection.java:1253) ! at java.base/sun.net.www.protocol.http.HttpURLConnection.plainConnect0(HttpURLConnection.java:1232) ! at java.base/sun.net.www.protocol.http.HttpURLConnection.plainConnect(HttpURLConnection.java:1081) ! at java.base/sun.net.www.protocol.http.HttpURLConnection.connect(HttpURLConnection.java:1015) ! at com.amazonaws.internal.ConnectionUtils.connectToEndpoint(ConnectionUtils.java:52) ! at com.amazonaws.internal.EC2ResourceFetcher.doReadResource(EC2ResourceFetcher.java:80) ! ... 32 common frames omitted ! Causing: com.amazonaws.SdkClientException: Failed to connect to service endpoint: ! at com.amazonaws.internal.EC2ResourceFetcher.doReadResource(EC2ResourceFetcher.java:100) ! at com.amazonaws.internal.EC2ResourceFetcher.doReadResource(EC2ResourceFetcher.java:70) ! at com.amazonaws.internal.InstanceMetadataServiceResourceFetcher.readResource(InstanceMetadataServiceResourceFetcher.java:75) ! at com.amazonaws.internal.EC2ResourceFetcher.readResource(EC2ResourceFetcher.java:66) ! at com.amazonaws.auth.InstanceMetadataServiceCredentialsFetcher.getCredentialsEndpoint(InstanceMetadataServiceCredentialsFetcher.java:58) ! at com.amazonaws.auth.InstanceMetadataServiceCredentialsFetcher.getCredentialsResponse(InstanceMetadataServiceCredentialsFetcher.java:46) ! at com.amazonaws.auth.BaseCredentialsFetcher.fetchCredentials(BaseCredentialsFetcher.java:112) ! at com.amazonaws.auth.BaseCredentialsFetcher.getCredentials(BaseCredentialsFetcher.java:68) ! at com.amazonaws.auth.InstanceProfileCredentialsProvider.getCredentials(InstanceProfileCredentialsProvider.java:165) ! at com.amazonaws.http.AmazonHttpClient$RequestExecutor.getCredentialsFromContext(AmazonHttpClient.java:1257) ! at com.amazonaws.http.AmazonHttpClient$RequestExecutor.runBeforeRequestHandlers(AmazonHttpClient.java:833) ! at com.amazonaws.http.AmazonHttpClient$RequestExecutor.doExecute(AmazonHttpClient.java:783) ! at com.amazonaws.http.AmazonHttpClient$RequestExecutor.executeWithTimer(AmazonHttpClient.java:770) ! at com.amazonaws.http.AmazonHttpClient$RequestExecutor.execute(AmazonHttpClient.java:744) ! at com.amazonaws.http.AmazonHttpClient$RequestExecutor.access$500(AmazonHttpClient.java:704) ! at com.amazonaws.http.AmazonHttpClient$RequestExecutionBuilderImpl.execute(AmazonHttpClient.java:686) ! at com.amazonaws.http.AmazonHttpClient.execute(AmazonHttpClient.java:550) ! at com.amazonaws.http.AmazonHttpClient.execute(AmazonHttpClient.java:530) ! at com.amazonaws.services.appconfig.AmazonAppConfigClient.doInvoke(AmazonAppConfigClient.java:2338) ! at com.amazonaws.services.appconfig.AmazonAppConfigClient.invoke(AmazonAppConfigClient.java:2305) ! at com.amazonaws.services.appconfig.AmazonAppConfigClient.invoke(AmazonAppConfigClient.java:2294) ! at com.amazonaws.services.appconfig.AmazonAppConfigClient.executeGetConfiguration(AmazonAppConfigClient.java:976) ! at com.amazonaws.services.appconfig.AmazonAppConfigClient.getConfiguration(AmazonAppConfigClient.java:946) ! at org.whispersystems.textsecuregcm.storage.DynamicConfigurationManager.retrieveDynamicConfiguration(DynamicConfigurationManager.java:94) ! at org.whispersystems.textsecuregcm.storage.DynamicConfigurationManager.retrieveInitialDynamicConfiguration(DynamicConfigurationManager.java:116) ! at org.whispersystems.textsecuregcm.storage.DynamicConfigurationManager.start(DynamicConfigurationManager.java:68) ! at org.whispersystems.textsecuregcm.WhisperServerService.run(WhisperServerService.java:316) ! at org.whispersystems.textsecuregcm.WhisperServerService.run(WhisperServerService.java:181) ! at io.dropwizard.cli.EnvironmentCommand.run(EnvironmentCommand.java:44) ! at io.dropwizard.cli.ConfiguredCommand.run(ConfiguredCommand.java:87) ! at io.dropwizard.cli.Cli.run(Cli.java:78) ! at io.dropwizard.Application.run(Application.java:94) ! at org.whispersystems.textsecuregcm.WhisperServerService.main(WhisperServerService.java:523) WARN [2021-05-20 18:02:04,487] org.whispersystems.textsecuregcm.storage.DynamicConfigurationManager: Error retrieving initial dynamic configuration ! java.net.SocketTimeoutException: connect timed out

mohit-cachy avatar May 20 '21 18:05 mohit-cachy

There was an issue with the local configuration of AWS credentials, but it's working now by changing the constructor code given below.

public DynamicConfigurationManager(String application, String environment, String configurationName) {
this(AmazonAppConfigClient.builder() .withClientConfiguration(new ClientConfiguration().withClientExecutionTimeout(10000).withRequestTimeout(10000)) .withCredentials(new AWSStaticCredentialsProvider(new BasicAWSCredentials("Access_key_ID", "Secret_access_key"))) .build(), application, environment, configurationName, UUID.randomUUID().toString()); }

mohit-cachy avatar May 21 '21 16:05 mohit-cachy

In theory you shouldn't have to make that change, the idea of AWS services is that you shouldn't have to manually enter credentials into each application instance. Instead the instance has its own authentication profile that is retrieved by the SDK / client from the AWS metadata service. I was able to set it up in AWS without making any code changes to the DynamicConfigurationManager, by assigning a suitable IAM role to the EC2 instance.

jacob-pro avatar May 21 '21 17:05 jacob-pro

I know the way I have done it is not correct. I definitely investigate the profile issue at my end and will soon update.

mohit-cachy avatar May 21 '21 17:05 mohit-cachy

@jacob-pro : I have an EC2 instance running with an IAM role, which has a policy that gives all access to appconfig. Then, I had set the AWS region environment variable as mentioned by @mohit-cachy. Now I'm getting the same error mentioned https://github.com/madeindra/signal-setup-guide/issues/84#issuecomment-845377508.

I don't want to make changes to the code as he did. How do I fix this ?

ankushbhardwxj avatar May 22 '21 14:05 ankushbhardwxj

So in my setup I didn't have to set any environment variables or do any configuration at all inside the ec2 instance.

In my config.yml:

appConfig:
  application: test
  environment: test
  configuration: test

Which matches the setup in AppConfig:

image

And according to the logs it works fine - and the server continues starting up:

INFO  [2021-05-25 09:48:30,969] com.amazonaws.internal.DefaultServiceEndpointBuilder: {appconfig, eu-west-2} was not found in region metadata, trying to construct an endpoint using the standard pattern for this region: 'appconfig.eu-west-2.amazonaws.com'.
INFO  [2021-05-25 09:48:31,931] org.whispersystems.textsecuregcm.storage.DynamicConfigurationManager: Received new config version: 2

I am using Signal Server v5.80 with no code changes, and in the AWS eu-west-2 region

jacob-pro avatar May 25 '21 09:05 jacob-pro