role-based authentication fails in new AWS regions, including eu-central-1, ca-central-1 and others. #76
Comments
|
I'm using, Net::Amazon::EC2 is up to date (0.31) on CentOS 7 Here is the command line i'm using: Debug log: running this command with the same user/key/secret works properly |
|
Spinning up a server instance with an attached iam-role seems to have the same issue in eu-central-1 |
|
Thanks for taking the time to report this. If you (or anybody else) figures out what is causing the difference, please post here. |
|
have you also seen this behaviour on the eu-central-1 region? |
|
We're using this script on CentOS7 with perl-Net-Amazon-EC2 0.31 successfully within eu-central-1. I believe that perhaps you might need to specify the option "--signature-version 4" in your command. |
|
No luck, same problem I'm going to set aside some time next week to see if i can't debug this further |
|
Update: Using "--use-iam-role" does NOT work in the eu-central-1 region with the latest version of Net::Amazon::EC2 (0.31) If i specify AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY AND add "--signature-version 4" to the command line, it works! This may be a bug in Net::Amazon::EC2, specific to eu-central-1 region (maybe they're doing something different there as it is a new region) I'll update this ticket with more information if i manage to find out why IAM doesn't work |
|
@tavispaquette Thanks for the additional details. |
|
ran into this today, seems to affect ec2-expire-snapshots as well; in the end I just implemented the functionality I needed in a bash script with awscli |
|
Is this related to #59 ? |
|
Not entirely. So i have a workaround but i am currently not able to use iam-roles, i have to provision API keys along with the script on each server |
|
New regions don't support "signature version 2", only "signature version 4". I confirmed that authentication fails when combining "signature version 4" with "--use-iam-role" in the new "ca-central-1" region. I'm investigating now. There appears to be no related bug in Someone identified the bug in October of 2015, but the issue remains open there: |
|
Considering that the underlying Net::Amazon::EC2 bug hasn't been fixed for over a year, I don't expect it to be fixed soon. In the meantime, AWS has endorsed PAWS as their unofficial Perl SDK. The Paws API explicitly documents that it support role-based authentication. The recommend fix is to refactor the code to use the better-maintained PAWS library instead of the apparently-neglected Net::Amazon::EC2 library. |
|
I made a related Pull Request to Paws to set the signature version appropriately for the newer AWS regions. |
|
A challenge with using |
|
If you guys need help, I'm open to discussing how we can make Paws easier to distribute (currently you get all Paws with all services when you install it via CPAN) |
|
Thanks @pplu I guess one option we have is to quit recommending that If have to pause my efforts on this now on the moment. I just have server in a problematic region at the moment, and I'm going to quickly setup an alternate backup method so I can return to other priorities at work. I would enjoy fixing this in the future if I have time, though-- Almost all my work is in JavaScript now, and I appreciate the rare jobs that puts my 10+ years of Perl experience to use! |
|
@pplu Users of I found that those projects are already packaged for Ubuntu, so users could use familiar commands to install them: |
markstos
changed the title
|
A Pull request which would be welcome which made this project depend on latest Net::Amazon::EC2 version 0.32, after testing against and making any related refactors required to work with the new version. Ref: https://metacpan.org/changes/distribution/Net-Amazon-EC2 |
|
Hi @markstos thank you for your efforts to maintain this program. So, judging from your recent comments, it looks like you were waiting for Net::Amazon::EC2 0.32 to make AWS Signature Version 4 the default, and then you were waiting for Net::Amazon::EC2 to fix stateReason bug, which is now fixed in 0.33. But, I installed the latest master of ec2-consistent-snapshot and Net::Amazon::EC2 0.33, and the issue is still there. For the region ap-northeast-1, to use |
|
I have logged the issue with Net::Amazon::EC2 |
|
I released 0.35 of Net-Amazon-EC2 to CPAN today which I believe fixes this issue. |
|
Thanks everyone. At this point I'm waiting on Ubuntu to package a new version of Net::Amazon::EC2, as mentioned here: #94 (comment) But perhaps I shouldn't hold my breath for that. The alternative is for @ehammond to publish Net::Amazon::EC2 .35 to his Ubuntu PPA, and then we can update our Ubuntu package for ec2-consistent-snapshot to depend on that newer package of Net::Amazon::EC2. |
|
I am not excited about the work that would probably be involved in publishing a Perl package to a PPA, and am uncertain if this would cause issues for anybody else, how we would know about those issues, and what would be involved with keeping it up to date as the months and years go by. @markstos If you are interested in running a PPA, I'd be happy to point everything over that way :-) Folks at my company have been moving to Paws for Perl AWS stuff. Not sure if that would be an option, if it is available as an Ubuntu package, or if it would solve the problem. https://metacpan.org/pod/Paws |
|
I'm not keen to start maintaining a PPA, either. I would welcome a refactor to use Paws instead of Net::Amazon::EC2 is the version currently published by Ubuntu would solve the problems with the published versions of Net::Amazon::EC2. Another option is to switch the distribution method from Ubuntu packages to a CPAN-based approach, in which it would be easy to depend on whichever version of Net::Amazon::EC2 that we liked. Volunteers to explore that approach would be welcome as well. My open source time is already somewhat booked helping with |
|
Sorry for commenting on closed ticket. But not sure if it the same issue or not (though I use recent EC2 lib). Every other (like 20%) of tries I get auth error (with both signature 2 and signature 4) in us-west-2: It can fail with auth error on createSnapshot API call also , when volume discovery API calls went just fine. Any suggestions ? |
|
Corresponding comment on Net::Amazon:Ec2 issue: jadeallenx/net-amazon-ec2#59 |
|
It's probably the same issue. The new version should be packaged as a "snap": Volunteers welcome. |
|
@markstos I just curl master branch of the script, do not use package system. And then install recent dependencies. |
|
@nderzhak I have a "snap" package that I could use help testing, especially on 16.04. It packages it's on set of dependencies to avoid problems with getting versions that are too old or too new in manual installations. This is the recommended way to get the newer version of Net::Amazon::EC2 on 16.04. I built it on Bionic and haven't tested it on 16.04. It's my first Snap package, though. It would be nice to improve the "confinement" setting so we don't have to publish it in "devmode". You are welcome to work on that. However, the permissions it has in devmode are the same as it has in the So, it's no less secure, it's just that Snaps enable the possibility of being more secure by further limiting the filesystem access of your packages. |
|
I ended building a bash alternative that avoids the Perl packaging problems: https://github.com/RideAmigosCorp/ec2-consistent-snapshot.sh |
…fixes. This version is not packaged by Ubuntu until 18.04. However, It can get bundled into the "snap" package that may work on Ubuntu 16.04.
|
Thanks for submitting this. Unfortunately, this project is no longer under development in this repo. Anybody is welcome to fork the project and continue development if there is interest. |
I'm having trouble using this script in the eu-central-1 region
I've got a role/user that works with "aws ec2 create-snapshot". I've tested this in eu-central-1, us-west-2 and us-east-1 and it works
If i run ec2-consistent-snapshot in other regions using this user it works
When i switch the region to to Frankfurt with "--region 'eu-central-1'" i get an "ec2-consistent-snapshot: ERROR: create_snapshot: AuthFailure: AWS was not able to validate the provided access credentials at ./ec2-consistent-snapshot line 323.
" Error
The text was updated successfully, but these errors were encountered: