As Steven told me on IRC, the problem was that the user associated with my EC2 creds had the heat_stack_user role in keystone. This role is intended to be used only for the in-instance users, created as part of the stack, not real human users. This is described in policy.json

thanks Steven,

btw: any idea about the first problem?

m.


Michaël Van de Borne
R&D Engineer, SOA team, CETIC
Phone: +32 (0)71 49 07 45 Mobile: +32 (0)472 69 57 16, Skype: mikemowgli
www.cetic.be, rue des Frères Wright, 29/3, B-6041 Charleroi

Le 03/07/2013 16:21, Michaël Van de Borne a écrit :
Hello Steven,
I'm mikemowgli from IRC. As requested, here are the logs.


1. First, here's a stack trace I*get in my shell periodically (once per minute approximately), but not in the logs: *
http://pastebin.com/kPswnGNL
(this might not be related to cloudwatch as I got this permanently)


2. Then, here is the error I get when I perform a heat-watch command. The logs of engine and cloudwatch are in attachment. In order to minimize their size, I launched and killed the daemons for this single heat-watch command.

It seems that my AWS creds are accepted, but that the user does have enough permissions. However, in keystone, the heat user is admin of the service tenant. The config files of engine, cloudwatch and boto (2.9.0) are also in attachment.

grizzly@leonard:~$ heat-watch -d describe
DEBUG:Debug level logging enabled
INFO:No AlarmName passed, getting results for ALL alarms
DEBUG:Using access key found in config file.
DEBUG:Using secret key found in config file.
DEBUG:Got CW connection object OK
DEBUG:Method: GET
DEBUG:Path: /v1/
DEBUG:Data:
DEBUG:Headers: {}
DEBUG:Host: 192.168.202.103:8003
DEBUG:Params: {'Action': 'DescribeAlarms', 'Version': '2010-08-01', 'AlarmNames.member.1': None}
DEBUG:establishing HTTP connection: kwargs={'timeout': 70}
DEBUG:Token: None
DEBUG:using _calc_signature_2
DEBUG:query string: AWSAccessKeyId=88da7b10ddbe4f4cad198477352ef9fc&Action=DescribeAlarms&AlarmNames.member.1=None&SignatureMethod=HmacSHA256&SignatureVersion=2&Timestamp=2013-07-03T14%3A08%3A54Z&Version=2010-08-01
DEBUG:string_to_sign: GET
192.168.202.103:8003
/v1/
AWSAccessKeyId=88da7b10ddbe4f4cad198477352ef9fc&Action=DescribeAlarms&AlarmNames.member.1=None&SignatureMethod=HmacSHA256&SignatureVersion=2&Timestamp=2013-07-03T14%3A08%3A54Z&Version=2010-08-01
DEBUG:len(b64)=44
DEBUG:base64 encoded digest: UaFV/v+FEOEIStrQR7BAH2ci0uGjlWP+p1TwLO8FVM0=
DEBUG:query_string: AWSAccessKeyId=88da7b10ddbe4f4cad198477352ef9fc&Action=DescribeAlarms&AlarmNames.member.1=None&SignatureMethod=HmacSHA256&SignatureVersion=2&Timestamp=2013-07-03T14%3A08%3A54Z&Version=2010-08-01 Signature: UaFV/v+FEOEIStrQR7BAH2ci0uGjlWP+p1TwLO8FVM0= DEBUG:<ErrorResponse><Error><Message>User is not authorized to perform action:Action DescribeAlarms not allowed for user</Message><Code>AccessDenied</Code><Type>Sender</Type></Error></ErrorResponse>
ERROR:403 AccessDenied
ERROR:<ErrorResponse><Error><Message>User is not authorized to perform action:Action DescribeAlarms not allowed for user</Message><Code>AccessDenied</Code><Type>Sender</Type></Error></ErrorResponse>
Traceback (most recent call last):
  File "/usr/local/bin/heat-watch", line 281, in <module>
    main()
  File "/usr/local/bin/heat-watch", line 268, in main
    result = cmd(opts, args)
File "/usr/local/lib/python2.7/dist-packages/heat/cfn_client/utils.py", line 32, in wrapper
    ret = func(*arguments, **kwargs)
  File "/usr/local/bin/heat-watch", line 65, in alarm_describe
    result = c.describe_alarm(**parameters)
File "/usr/local/lib/python2.7/dist-packages/heat/cfn_client/boto_client_cloudwatch.py", line 57, in describe_alarm
    alarm_names=[name])
File "/usr/local/lib/python2.7/dist-packages/boto/ec2/cloudwatch/__init__.py", line 393, in describe_alarms
    [('MetricAlarms', MetricAlarms)])
File "/usr/local/lib/python2.7/dist-packages/boto/connection.py", line 1049, in get_list
    raise self.ResponseError(response.status, response.reason, body)
boto.exception.BotoServerError: BotoServerError: 403 AccessDenied
<ErrorResponse><Error><Message>User is not authorized to perform action:Action DescribeAlarms not allowed for user</Message><Code>AccessDenied</Code><Type>Sender</Type></Error></ErrorResponse>


thank you for your help,

michaël


--
Michaël Van de Borne
R&D Engineer, SOA team, CETIC
Phone: +32 (0)71 49 07 45 Mobile: +32 (0)472 69 57 16, Skype: mikemowgli
www.cetic.be, rue des Frères Wright, 29/3, B-6041 Charleroi


_______________________________________________
Mailing list: https://launchpad.net/~openstack
Post to     : openstack@lists.launchpad.net
Unsubscribe : https://launchpad.net/~openstack
More help   : https://help.launchpad.net/ListHelp

_______________________________________________
Mailing list: https://launchpad.net/~openstack
Post to     : openstack@lists.launchpad.net
Unsubscribe : https://launchpad.net/~openstack
More help   : https://help.launchpad.net/ListHelp

Reply via email to