Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

AWS DynamoDB error "The security token included in the request is invalid." in Rusoto 0.41.0 #1527

Closed
benashford opened this issue Oct 9, 2019 · 7 comments · Fixed by #1528

Comments

@benashford
Copy link

commented Oct 9, 2019

Since upgrading to Rusoto 0.41.0, trying to use DynamoDB results in an error:

{"__type":"com.amazon.coral.service#UnrecognizedClientException","message":"The security token included in the request is invalid."}

Rolling back to version 0.40.0 and leaving everything else the same (the rest of the code is the same, the AWS roles are the same, etc.) and the error goes away and the code works as expected.

Unfortunately I'm not familiar enough with the Rusoto codebase to hazard a guess where the issue may be. But I had brief glance through the rusoto_credential library and it appears mostly unchanged between 0.40.0 and 0.41.0; so if I were to guess I would say it appears to be an issue in the DynamoDB client that is, somehow, not providing the required security token.

Some more details which may be helpful:

  1. The code in question runs on an EC2 box, and the DynamoDB permissions are controlled via an IAM role assigned to an instance profile.

  2. The code uses the DefaultCredentialsProvider.

@iliana

This comment has been minimized.

Copy link
Member

commented Oct 9, 2019

@benashford

This comment has been minimized.

Copy link
Author

commented Oct 9, 2019

It could be if the AwsCredentials struct is used deserialise the response from the instance metadata.

According to https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-roles-for-amazon-ec2.html#instance-metadata-security-credentials the response will have a field called Token rather than SessionToken.

So if it was used for that, it would mean the session token would be missing when a DynamoDB call is made?

@iliana

This comment has been minimized.

Copy link
Member

commented Oct 9, 2019

Yep. I'm testing now, but this is almost certainly a regression that I missed.

I tried an unholy mix of serde attributes to get both to work, but couldn't quite get it. We should add an appropriate deserialization test case (even if we can't reasonably test pulling credentials from instance metadata) as well.

@iliana

This comment has been minimized.

Copy link
Member

commented Oct 9, 2019

rusoto_ec2::Ec2::describe_regions also fails with a similar error, and succeeds in 0.40.0.

@iliana

This comment has been minimized.

Copy link
Member

commented Oct 10, 2019

I am starting work on a PR for this issue.

iliana added a commit to iliana/rusoto that referenced this issue Oct 10, 2019
matthewkmayer added a commit that referenced this issue Oct 11, 2019
Fix regression in session token handling (#1527)
@matthewkmayer

This comment has been minimized.

Copy link
Member

commented Oct 11, 2019

New release of rusoto_credential coming tonight.

@matthewkmayer

This comment has been minimized.

Copy link
Member

commented Oct 12, 2019

Just published 0.41.1, if the project doesn't pick it up cargo update or deleting the Cargo.lock file should pick up rusoto_credential 0.41.1.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
3 participants
You can’t perform that action at this time.