-
-
Notifications
You must be signed in to change notification settings - Fork 903
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
ERROR: Test failed: 400 (InvalidToken): The provided token is malformed or otherwise invalid #297
Comments
Does the token have sufficient permissions to allow listing all buckets? On Thu, Mar 20, 2014 at 8:54 AM, quantonganh notifications@github.comwrote:
|
The token must have ListAllMyBuckets permission. On Thu, Mar 20, 2014 at 12:52 PM, Matt Domsch matt@domsch.com wrote:
|
@mdomsch I'm an IAM admin. My Group Policies:
Moreover, if I login to the S3 Management Console using Sign-In Credentials, I can see the list of all buckets. The strange thing is I didn't get this problem on another server with the same token. For e.g: here's the output when running
What the hell is going on here? |
Can you run with --debug on the latest github upstream on the failing Thanks, On Thu, Mar 20, 2014 at 10:10 PM, quantonganh notifications@github.comwrote:
|
@mdomsch Found some clues: don't know why On the worked system:
On the failed system:
Looks like this is the reason why I got a 400 (Bad Request) response. Where did it come from? |
came from commit dc590d6
references On Fri, Mar 21, 2014 at 2:47 AM, quantonganh notifications@github.comwrote:
|
@mdomsch: I also have found this via Google: http://www.greenhills.co.uk/2012/12/25/s3cmd-with-iam-roles.html So, I know that it was taken from the metadata:
But my question still stands: why does sometimes |
Is s3cmd run on a system with an IAM role defined? Is the access token
|
Yes, both of the worked and failed system are associated with the same IAM role.
Sorry, I'm not sure I understand your question. I'm going to run By "environment", do you mean
|
I just pushed a change to master to display the actual error (and not crap On Fri, Mar 21, 2014 at 8:02 PM, quantonganh notifications@github.comwrote:
|
environment, meaning printenv from the shell. I just tried upstream master branch which has a fix for the find() error and entering in a newly created set of API keys. This worked fine. If I On Fri, Mar 21, 2014 at 8:02 PM, quantonganh notifications@github.comwrote:
|
@mdomsch: This is better because it allows users to save settings or not. As you can guess, if I choose to save the settings, then open
By removing this line, What I don't understand is why PS: I'm re-reading http://aws.amazon.com/iam/faqs/ to make sure that I'm not missing anything important. |
fwiw - after installing s3cmd, setting up an IAM and attaching an "Amazon S3 Full Access" role - I too encountered the "The provided token is malformed or otherwise invalid" error.... Next, I created an IAM and attached a policy with admin credentials (everything)... still got error. So after seeing @mdomsch ask if there was an IAM role attached to the EC2 where the s3cmd is installed, I indeed did have my EC2 setup with an embedded role that had only an EC2 policy attached. So next, I tried running. and of course it works. So s3cmd takes as a default the credentials of embedded roles in the EC2. I am sure that if you spin up another EC2 with a role that has access to S3 - you will not get this "The provided token is malformed or otherwise invalid" error. But, please DO NOT stick -access_key=xxxx --secret_key=xxxxxxxxxxxxx parameters into any script using s3cmd. Where ever possible - try to embed roles into EC2 when you fire them up (good security practice) Anyway - to test - I fired up another EC2 w/out any embedded IAM roles, installed s3cmd, configured - and everything worked as expected using my IAM user that had the S3 policy. Hopeful s3cmd fix: Allow the IAM credentials set by the "s3cmd --configure" to take precedence over embedded IAM roles in EC2 please. |
I can confirm that removing |
I can also confirm this. |
For me also it worked after removing |
I can confirm that removing the access_token fixes this issue. |
had the same error until I used sudo s3cmd --configure |
The region name was difference in my case |
s3cmd
was installed fromepel-testing
repo by running:Then I invoked the configuration tool with
s3cmd --configure
but I got this error:I'm sure the keys are correct.
Do you have any idea about this?
PS: I also tried with the latest version from github, nothing change.
The text was updated successfully, but these errors were encountered: