Skip to content
This repository has been archived by the owner on Jul 10, 2021. It is now read-only.

SpinnakerUser is not authorized to perform: iam:ListServerCertificates #335

Closed
costimuraru opened this issue Aug 30, 2017 · 6 comments
Closed

SpinnakerUser is not authorized to perform: iam:ListServerCertificates #335

costimuraru opened this issue Aug 30, 2017 · 6 comments
Labels
stale to-be-closed

Comments

@costimuraru
Copy link

costimuraru commented Aug 30, 2017
edited
Loading

Hey guys!

Fantastic work on the project. I just followed the Spinnaker quick start on AWS (https://s3.amazonaws.com/quickstart-reference/spinnaker/latest/doc/spinnaker-on-the-aws-cloud.pdf) and after cloud formation finished I began surfing through the Spinnaker UI. After some unexpected behavior in the UI, I decided to look over the spinnaker logs and I found the error SpinnakerUser is not authorized to perform: iam:ListServerCertificates. I manually gave permission to the user in the AWS IAM and the spinnaker behavior got corrected.

/var/log/spinnaker/clouddriver/clouddriver.log

2017-08-30 22:37:28.507  WARN 46014 --- [ecutionAction-4] c.n.s.c.cache.LoggingInstrumentation     : com.netflix.spinnaker.clouddriver.aws.provider.AwsInfrastructureProvider:default/us-west-2/AmazonCertificateCachingAgent completed

com.amazonaws.services.identitymanagement.model.AmazonIdentityManagementException: User: arn:aws:iam::317085423413:user/Spinnaker-SpinnakerUser-5Z0ZXXV7BRKH is not authorized to perform: iam:ListServerCertificates on resource: arn:aws:iam::317085423413:server-certificate/ (Service: AmazonIdentityManagement; Status Code: 403; Error Code: AccessDenied; Request ID: cd8faada-8dd3-11e7-a132-ad6c0570cad9)
	at com.amazonaws.http.AmazonHttpClient$RequestExecutor.handleErrorResponse(AmazonHttpClient.java:1587) ~[aws-java-sdk-core-1.11.173.jar:na]
	at com.amazonaws.http.AmazonHttpClient$RequestExecutor.executeOneRequest(AmazonHttpClient.java:1257) ~[aws-java-sdk-core-1.11.173.jar:na]
	at com.amazonaws.http.AmazonHttpClient$RequestExecutor.executeHelper(AmazonHttpClient.java:1029) ~[aws-java-sdk-core-1.11.173.jar:na]
	at com.amazonaws.http.AmazonHttpClient$RequestExecutor.doExecute(AmazonHttpClient.java:741) ~[aws-java-sdk-core-1.11.173.jar:na]
	at com.amazonaws.http.AmazonHttpClient$RequestExecutor.executeWithTimer(AmazonHttpClient.java:715) ~[aws-java-sdk-core-1.11.173.jar:na]
	at com.amazonaws.http.AmazonHttpClient$RequestExecutor.execute(AmazonHttpClient.java:697) ~[aws-java-sdk-core-1.11.173.jar:na]
	at com.amazonaws.http.AmazonHttpClient$RequestExecutor.access$500(AmazonHttpClient.java:665) ~[aws-java-sdk-core-1.11.173.jar:na]
	at com.amazonaws.http.AmazonHttpClient$RequestExecutionBuilderImpl.execute(AmazonHttpClient.java:647) ~[aws-java-sdk-core-1.11.173.jar:na]
	at com.amazonaws.http.AmazonHttpClient.execute(AmazonHttpClient.java:511) ~[aws-java-sdk-core-1.11.173.jar:na]
	at com.amazonaws.services.identitymanagement.AmazonIdentityManagementClient.doInvoke(AmazonIdentityManagementClient.java:8275) ~[aws-java-sdk-iam-1.11.173.jar:na]
	at com.amazonaws.services.identitymanagement.AmazonIdentityManagementClient.invoke(AmazonIdentityManagementClient.java:8251) ~[aws-java-sdk-iam-1.11.173.jar:na]
	at com.amazonaws.services.identitymanagement.AmazonIdentityManagementClient.executeListServerCertificates(AmazonIdentityManagementClient.java:6023) ~[aws-java-sdk-iam-1.11.173.jar:na]
	at com.amazonaws.services.identitymanagement.AmazonIdentityManagementClient.listServerCertificates(AmazonIdentityManagementClient.java:5999) ~[aws-java-sdk-iam-1.11.173.jar:na]
	at com.amazonaws.services.identitymanagement.AmazonIdentityManagement$listServerCertificates.call(Unknown Source) ~[na:na]
	at com.netflix.spinnaker.clouddriver.aws.provider.agent.AmazonCertificateCachingAgent.loadData(AmazonCertificateCachingAgent.groovy:86) ~[clouddriver-aws-1.674.2.jar:1.674.2]
	at com.netflix.spinnaker.cats.agent.CachingAgent$CacheExecution.executeAgentWithoutStore(CachingAgent.java:66) ~[cats-core-1.674.2.jar:1.674.2]
	at com.netflix.spinnaker.cats.agent.CachingAgent$CacheExecution.executeAgent(CachingAgent.java:59) ~[cats-core-1.674.2.jar:1.674.2]
	at com.netflix.spinnaker.cats.redis.cluster.ClusteredAgentScheduler$AgentExecutionAction.execute(ClusteredAgentScheduler.java:205) ~[cats-redis-1.674.2.jar:1.674.2]
	at com.netflix.spinnaker.cats.redis.cluster.ClusteredAgentScheduler$AgentJob.run(ClusteredAgentScheduler.java:179) ~[cats-redis-1.674.2.jar:1.674.2]
	at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511) ~[na:1.8.0_141]
	at java.util.concurrent.FutureTask.run(FutureTask.java:266) ~[na:1.8.0_141]
	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) [na:1.8.0_141]
	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) [na:1.8.0_141]
	at java.lang.Thread.run(Thread.java:748) [na:1.8.0_141]
@ttomsu
Copy link
Member

ttomsu commented Sep 18, 2017

I've seen this in my instances too. @spinnaker/netflix-reviewers - any guidance?

@robzienert
Copy link
Member

In all likelihood, that guide is out of date. AmazonCertificateCachingAgent definitely needs that IAM permission.

@costimuraru
Copy link
Author

The AWS cloudformation template is coming from: https://s3.amazonaws.com/quickstart-reference/spinnaker/latest/templates/quickstart-spinnakercf.template

I see there is another GitHub project which generates this file: https://github.com/aws-quickstart/quickstart-spinnaker
Perhaps I should file the issue there.

@robzienert
Copy link
Member

@costimuraru Yes, that would be best. That guide is maintained by AWS, not the Spinnaker team.

@spinnakerbot
Copy link
Contributor

This issue is tagged as 'stale' and hasn't been updated in 89 days, so we are tagging it as 'to-be-closed'. It will be closed in 45 days unless updates are made. If you want to remove this label, comment:

@spinnakerbot remove-label to-be-closed

@spinnakerbot
Copy link
Contributor

This issue is tagged as 'to-be-closed' and hasn't been updated in 45 days, so we are closing it. You can always reopen this issue if needed.

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
stale to-be-closed
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@robzienert @costimuraru @ttomsu @spinnakerbot