Re: Issue with jclouds computeService listNodes() ?
FTR, I'm not a user of the SimianArmy, but I've just opened a PR to add support for temporary credentials: https://github.com/Netflix/SimianArmy/pull/331 On 21 June 2018 at 10:14, archiep...@gmail.com wrote: > Hi Ignasi, > Thank you! I will try this out and let you know if it worked. > > Cheers > Archana > > On 2018/06/21 08:00:01, Ignasi Barrera wrote: > > Hi Archana, > > > > I see the problem here. When using temporary credentials in AWS, the > > session token must be included in a request header [1], so you need to > > provide it when configuring the jclouds context with the credentials. > > > > By default, the "ContextBuilder.credentials" signature does only allow to > > pass the access key and secret key, but there is no place to specify that > > session token. However, the ContextBuilder provides an alternate > mechanism > > to configure custom credentials. You can use the > > "ContextBuilder.credentialsSupplier" method as follows: > > > > ContextBuilder.newBuilder("aws-ec2") > >... > >.credentialsSupplier(new Supplier() { > > @Override > > public Credentials get() { > > return SessionCredentials.builder() > > .accessKeyId("temporary access key") > > .secretAccessKey("temporary secret key") > > .sessionToken("session token") > > .expiration(new Date()) // Change to a proper value > > .build(); > > } > >}) > >... > > > > > > > > Could you try this? > > > > > > HTH! > > > > I. > > > > > > [1] > > https://docs.aws.amazon.com/AmazonS3/latest/dev/RESTAuthentication.html# > UsingTemporarySecurityCredentials > > > > > > On 21 June 2018 at 09:53, Andrea Turli wrote: > > > > > Mmm very interesting! > > > > > > The only thing that comes to my mind is: > > > - is your account allowed to talk to all the regions? From the > stacktrace > > > above looks like > > > org.jclouds.rest.AuthorizationException: POST https://ec2.us-east-1. > > > amazonaws.com/ HTTP/1.1 -> HTTP/1.1 401 Unauthorized > > > so maybe your account is not allowed to talk to that region. Can you > > > confirm? if not you want to control which regions to target you can use > > > `-Djclouds.regions: "us-west-1" in case you want to limit to Oregon. > > > > > > HTH, > > > Andrea > > > > > > On Thu, Jun 21, 2018 at 9:45 AM archiep...@gmail.com < > archiep...@gmail.com> > > > wrote: > > > > > >> Hi Andrea, > > >> Thanks for the quick response. I am using an IAM role that has full > admin > > >> access. Which is why this case is even more perplexing. Do you have > any > > >> other suggestions to try out? > > >> > > >> Cheers > > >> Archana > > >> > > >> On 2018/06/20 21:45:31, archiep...@gmail.com > > >> wrote: > > >> > Hi Ignasi, > > >> > So the function that does the authentication uses a context builder > and > > >> generates a temporary access and secret key. I've read that perhaps > Jclouds > > >> might not be sending the session token to access aws resources. Do you > > >> think that is what could be happening? > > >> > > > >> > Cheers, > > >> > Archana > > >> > > > >> > > > > > >
Re: Issue with jclouds computeService listNodes() ?
Hi Ignasi, Thank you! I will try this out and let you know if it worked. Cheers Archana On 2018/06/21 08:00:01, Ignasi Barrera wrote: > Hi Archana, > > I see the problem here. When using temporary credentials in AWS, the > session token must be included in a request header [1], so you need to > provide it when configuring the jclouds context with the credentials. > > By default, the "ContextBuilder.credentials" signature does only allow to > pass the access key and secret key, but there is no place to specify that > session token. However, the ContextBuilder provides an alternate mechanism > to configure custom credentials. You can use the > "ContextBuilder.credentialsSupplier" method as follows: > > ContextBuilder.newBuilder("aws-ec2") >... >.credentialsSupplier(new Supplier() { > @Override > public Credentials get() { > return SessionCredentials.builder() > .accessKeyId("temporary access key") > .secretAccessKey("temporary secret key") > .sessionToken("session token") > .expiration(new Date()) // Change to a proper value > .build(); > } >}) >... > > > > Could you try this? > > > HTH! > > I. > > > [1] > https://docs.aws.amazon.com/AmazonS3/latest/dev/RESTAuthentication.html#UsingTemporarySecurityCredentials > > > On 21 June 2018 at 09:53, Andrea Turli wrote: > > > Mmm very interesting! > > > > The only thing that comes to my mind is: > > - is your account allowed to talk to all the regions? From the stacktrace > > above looks like > > org.jclouds.rest.AuthorizationException: POST https://ec2.us-east-1. > > amazonaws.com/ HTTP/1.1 -> HTTP/1.1 401 Unauthorized > > so maybe your account is not allowed to talk to that region. Can you > > confirm? if not you want to control which regions to target you can use > > `-Djclouds.regions: "us-west-1" in case you want to limit to Oregon. > > > > HTH, > > Andrea > > > > On Thu, Jun 21, 2018 at 9:45 AM archiep...@gmail.com > > wrote: > > > >> Hi Andrea, > >> Thanks for the quick response. I am using an IAM role that has full admin > >> access. Which is why this case is even more perplexing. Do you have any > >> other suggestions to try out? > >> > >> Cheers > >> Archana > >> > >> On 2018/06/20 21:45:31, archiep...@gmail.com > >> wrote: > >> > Hi Ignasi, > >> > So the function that does the authentication uses a context builder and > >> generates a temporary access and secret key. I've read that perhaps Jclouds > >> might not be sending the session token to access aws resources. Do you > >> think that is what could be happening? > >> > > >> > Cheers, > >> > Archana > >> > > >> > > >
Re: Issue with jclouds computeService listNodes() ?
Hi Andrea, Yes i changed the code a little and added a .endpoint("https://ec2-ap-southeast-1.com;), to change the region. Does that resolve it? Regards Archana On 2018/06/21 07:53:48, Andrea Turli wrote: > Mmm very interesting! > > The only thing that comes to my mind is: > - is your account allowed to talk to all the regions? From the stacktrace > above looks like > org.jclouds.rest.AuthorizationException: POST > https://ec2.us-east-1.amazonaws.com/ HTTP/1.1 -> HTTP/1.1 401 Unauthorized > so maybe your account is not allowed to talk to that region. Can you > confirm? if not you want to control which regions to target you can use > `-Djclouds.regions: "us-west-1" in case you want to limit to Oregon. > > HTH, > Andrea > > On Thu, Jun 21, 2018 at 9:45 AM archiep...@gmail.com > wrote: > > > Hi Andrea, > > Thanks for the quick response. I am using an IAM role that has full admin > > access. Which is why this case is even more perplexing. Do you have any > > other suggestions to try out? > > > > Cheers > > Archana > > > > On 2018/06/20 21:45:31, archiep...@gmail.com > > wrote: > > > Hi Ignasi, > > > So the function that does the authentication uses a context builder and > > generates a temporary access and secret key. I've read that perhaps Jclouds > > might not be sending the session token to access aws resources. Do you > > think that is what could be happening? > > > > > > Cheers, > > > Archana > > > > > >
Re: Issue with jclouds computeService listNodes() ?
Hi Archana, I see the problem here. When using temporary credentials in AWS, the session token must be included in a request header [1], so you need to provide it when configuring the jclouds context with the credentials. By default, the "ContextBuilder.credentials" signature does only allow to pass the access key and secret key, but there is no place to specify that session token. However, the ContextBuilder provides an alternate mechanism to configure custom credentials. You can use the "ContextBuilder.credentialsSupplier" method as follows: ContextBuilder.newBuilder("aws-ec2") ... .credentialsSupplier(new Supplier() { @Override public Credentials get() { return SessionCredentials.builder() .accessKeyId("temporary access key") .secretAccessKey("temporary secret key") .sessionToken("session token") .expiration(new Date()) // Change to a proper value .build(); } }) ... Could you try this? HTH! I. [1] https://docs.aws.amazon.com/AmazonS3/latest/dev/RESTAuthentication.html#UsingTemporarySecurityCredentials On 21 June 2018 at 09:53, Andrea Turli wrote: > Mmm very interesting! > > The only thing that comes to my mind is: > - is your account allowed to talk to all the regions? From the stacktrace > above looks like > org.jclouds.rest.AuthorizationException: POST https://ec2.us-east-1. > amazonaws.com/ HTTP/1.1 -> HTTP/1.1 401 Unauthorized > so maybe your account is not allowed to talk to that region. Can you > confirm? if not you want to control which regions to target you can use > `-Djclouds.regions: "us-west-1" in case you want to limit to Oregon. > > HTH, > Andrea > > On Thu, Jun 21, 2018 at 9:45 AM archiep...@gmail.com > wrote: > >> Hi Andrea, >> Thanks for the quick response. I am using an IAM role that has full admin >> access. Which is why this case is even more perplexing. Do you have any >> other suggestions to try out? >> >> Cheers >> Archana >> >> On 2018/06/20 21:45:31, archiep...@gmail.com >> wrote: >> > Hi Ignasi, >> > So the function that does the authentication uses a context builder and >> generates a temporary access and secret key. I've read that perhaps Jclouds >> might not be sending the session token to access aws resources. Do you >> think that is what could be happening? >> > >> > Cheers, >> > Archana >> > >> >
Re: Issue with jclouds computeService listNodes() ?
Mmm very interesting! The only thing that comes to my mind is: - is your account allowed to talk to all the regions? From the stacktrace above looks like org.jclouds.rest.AuthorizationException: POST https://ec2.us-east-1.amazonaws.com/ HTTP/1.1 -> HTTP/1.1 401 Unauthorized so maybe your account is not allowed to talk to that region. Can you confirm? if not you want to control which regions to target you can use `-Djclouds.regions: "us-west-1" in case you want to limit to Oregon. HTH, Andrea On Thu, Jun 21, 2018 at 9:45 AM archiep...@gmail.com wrote: > Hi Andrea, > Thanks for the quick response. I am using an IAM role that has full admin > access. Which is why this case is even more perplexing. Do you have any > other suggestions to try out? > > Cheers > Archana > > On 2018/06/20 21:45:31, archiep...@gmail.com > wrote: > > Hi Ignasi, > > So the function that does the authentication uses a context builder and > generates a temporary access and secret key. I've read that perhaps Jclouds > might not be sending the session token to access aws resources. Do you > think that is what could be happening? > > > > Cheers, > > Archana > > >
Re: Issue with jclouds computeService listNodes() ?
Hi Andrea, Thanks for the quick response. I am using an IAM role that has full admin access. Which is why this case is even more perplexing. Do you have any other suggestions to try out? Cheers Archana On 2018/06/21 07:40:46, Andrea Turli wrote: > Archana, > > interesting! > > To debug this, I would attach a IAM role with e.g the AmazonEC2FullAccess > policy set and re-test. If that works, I'll then try to play with more > restricting policies, in case you don't like AmazonEC2FullAccess in > production. > > Best, > Andrea > > On Thu, Jun 21, 2018 at 9:34 AM archiep...@gmail.com > wrote: > > > Hi Andrea, > > I tried the two methods that you suggested and neither of them work. I > > also tried another method listHardwareProfiles() and it works. Is there > > some different level of authentication required across these? Please do let > > me know what you think. > > > > Cheers > > Archana > > > > On 2018/06/20 07:26:44, Andrea Turli wrote: > > > Hi Archana, > > > > > > I don't see any particular reason listNodes would behave differently > > when > > > using IAM role vs Access Key and Secret Key - Once the Ec2Api is > > configured > > > to use org.jclouds.aws.domain.SessionCredentials everything should just > > > work. > > > > > > Is listNodes the only failing one? Can you share the stacktrace of a > > > failing call? > > > Could you double check listAssignableLocations() or listImages() with the > > > same IAM role? if they work, can it be related to weird IAM permissions? > > > > > > HTH, > > > Andrea > > > > > > On Wed, Jun 20, 2018 at 8:01 AM archiep...@gmail.com < > > archiep...@gmail.com> > > > wrote: > > > > > > > Hi All, > > > > I am trying to SSH from one EC2 instance into another using netflix's > > > > simian army. I am using IAM role instead of Access key and Secret key. > > > > Wondering if there is an issue with calling listNodes() when using IAM > > > > role. Any insight on this, or any workaround on the issue is helpful. > > > > > > > > Cheers > > > > Archana > > > > > > > > > >
Re: Issue with jclouds computeService listNodes() ?
Hi Andrea, Thanks for the quick response. I am using an IAM role that has full admin access. Which is why this case is even more perplexing. Do you have any other suggestions to try out? Cheers Archana On 2018/06/20 21:45:31, archiep...@gmail.com wrote: > Hi Ignasi, > So the function that does the authentication uses a context builder and > generates a temporary access and secret key. I've read that perhaps Jclouds > might not be sending the session token to access aws resources. Do you think > that is what could be happening? > > Cheers, > Archana >
Re: Issue with jclouds computeService listNodes() ?
Archana, interesting! To debug this, I would attach a IAM role with e.g the AmazonEC2FullAccess policy set and re-test. If that works, I'll then try to play with more restricting policies, in case you don't like AmazonEC2FullAccess in production. Best, Andrea On Thu, Jun 21, 2018 at 9:34 AM archiep...@gmail.com wrote: > Hi Andrea, > I tried the two methods that you suggested and neither of them work. I > also tried another method listHardwareProfiles() and it works. Is there > some different level of authentication required across these? Please do let > me know what you think. > > Cheers > Archana > > On 2018/06/20 07:26:44, Andrea Turli wrote: > > Hi Archana, > > > > I don't see any particular reason listNodes would behave differently > when > > using IAM role vs Access Key and Secret Key - Once the Ec2Api is > configured > > to use org.jclouds.aws.domain.SessionCredentials everything should just > > work. > > > > Is listNodes the only failing one? Can you share the stacktrace of a > > failing call? > > Could you double check listAssignableLocations() or listImages() with the > > same IAM role? if they work, can it be related to weird IAM permissions? > > > > HTH, > > Andrea > > > > On Wed, Jun 20, 2018 at 8:01 AM archiep...@gmail.com < > archiep...@gmail.com> > > wrote: > > > > > Hi All, > > > I am trying to SSH from one EC2 instance into another using netflix's > > > simian army. I am using IAM role instead of Access key and Secret key. > > > Wondering if there is an issue with calling listNodes() when using IAM > > > role. Any insight on this, or any workaround on the issue is helpful. > > > > > > Cheers > > > Archana > > > > > >
Re: Issue with jclouds computeService listNodes() ?
Hi Andrea, I tried the two methods that you suggested and neither of them work. I also tried another method listHardwareProfiles() and it works. Is there some different level of authentication required across these? Please do let me know what you think. Cheers Archana On 2018/06/20 07:26:44, Andrea Turli wrote: > Hi Archana, > > I don't see any particular reason listNodes would behave differently when > using IAM role vs Access Key and Secret Key - Once the Ec2Api is configured > to use org.jclouds.aws.domain.SessionCredentials everything should just > work. > > Is listNodes the only failing one? Can you share the stacktrace of a > failing call? > Could you double check listAssignableLocations() or listImages() with the > same IAM role? if they work, can it be related to weird IAM permissions? > > HTH, > Andrea > > On Wed, Jun 20, 2018 at 8:01 AM archiep...@gmail.com > wrote: > > > Hi All, > > I am trying to SSH from one EC2 instance into another using netflix's > > simian army. I am using IAM role instead of Access key and Secret key. > > Wondering if there is an issue with calling listNodes() when using IAM > > role. Any insight on this, or any workaround on the issue is helpful. > > > > Cheers > > Archana > > >
Re: Issue with jclouds computeService listNodes() ?
Hi Archana, There is no explicit support to pass the IAM role based authentication when creating the jclouds context. It has to be created with the access and secret key. I don't know the internals of the simian army, but if you have access to the instance metadata you could query it to get the access keys and then build the jclodus context. On 20 June 2018 at 09:30, archiep...@gmail.com wrote: > Hi Andrea, > Thanks for the reply. I am somewhat new ( learning today) to Jclouds. But > after facing this issue for the past 2 days and reading some blog posts, a > lot of places say it might be an IAM role issue. Here is the stacktrace: > > 2018-06-18 03:52:56.701 - WARN ChaosInstance - [ChaosInstance.java:105] > Error making SSH connection to instance > org.jclouds.rest.AuthorizationException: POST https://ec2.us-east-1. > amazonaws.com/ HTTP/1.1 -> HTTP/1.1 401 Unauthorized > at org.jclouds.aws.handlers.ParseAWSErrorFromXmlContent. > refineException(ParseAWSErrorFromXmlContent.java:122) > at org.jclouds.aws.handlers.ParseAWSErrorFromXmlContent. > handleError(ParseAWSErrorFromXmlContent.java:89) > at org.jclouds.http.handlers.DelegatingErrorHandler.handleError( > DelegatingErrorHandler.java:65) > at org.jclouds.http.internal.BaseHttpCommandExecutorService > .shouldContinue(BaseHttpCommandExecutorService.java:132) > at org.jclouds.http.internal.BaseHttpCommandExecutorService > .invoke(BaseHttpCommandExecutorService.java:101) > at org.jclouds.rest.internal.InvokeHttpMethod.invoke( > InvokeHttpMethod.java:90) > at org.jclouds.rest.internal.InvokeHttpMethod.apply( > InvokeHttpMethod.java:73) > at org.jclouds.rest.internal.InvokeHttpMethod.apply( > InvokeHttpMethod.java:44) > at org.jclouds.reflect.FunctionalReflection$ > FunctionalInvocationHandler.handleInvocation( > FunctionalReflection.java:117) > at com.google.common.reflect.AbstractInvocationHandler.invoke( > AbstractInvocationHandler.java:87) > at com.sun.proxy.$Proxy174.describeRegions(Unknown Source) > at org.jclouds.ec2.suppliers.DescribeRegionsForRegionURIs.get( > DescribeRegionsForRegionURIs.java:50) > at org.jclouds.ec2.suppliers.DescribeRegionsForRegionURIs.get( > DescribeRegionsForRegionURIs.java:38) > at org.jclouds.rest.suppliers.MemoizedRetryOnTimeOutButNotOn > AuthorizationExceptionSupplier$SetAndThrowAuthorizationExcept > ionSupplierBackedLoader.load(MemoizedRetryOnTimeOutButNotOn > AuthorizationExceptionSupplier.java:73) > at org.jclouds.rest.suppliers.MemoizedRetryOnTimeOutButNotOn > AuthorizationExceptionSupplier$SetAndThrowAuthorizationExcept > ionSupplierBackedLoader.load(MemoizedRetryOnTimeOutButNotOn > AuthorizationExceptionSupplier.java:57) > at com.google.common.cache.LocalCache$LoadingValueReference. > loadFuture(LocalCache.java:3542) > at com.google.common.cache.LocalCache$Segment.loadSync( > LocalCache.java:2323) > at com.google.common.cache.LocalCache$Segment. > lockedGetOrLoad(LocalCache.java:2286) > at com.google.common.cache.LocalCache$Segment.get( > LocalCache.java:2201) > at com.google.common.cache.LocalCache.get(LocalCache.java:3953) > at com.google.common.cache.LocalCache.getOrLoad( > LocalCache.java:3957) > at com.google.common.cache.LocalCache$LocalLoadingCache. > get(LocalCache.java:4875) > at org.jclouds.rest.suppliers.MemoizedRetryOnTimeOutButNotOn > AuthorizationExceptionSupplier.get(MemoizedRetryOnTimeOutButNotOn > AuthorizationExceptionSupplier.java:119) > at org.jclouds.location.suppliers.derived. > RegionIdsFromRegionIdToURIKeySet.get(RegionIdsFromRegionIdToURIKeyS > et.java:45) > at org.jclouds.location.suppliers.derived. > RegionIdsFromRegionIdToURIKeySet.get(RegionIdsFromRegionIdToURIKeyS > et.java:33) > at com.google.common.base.Suppliers$SupplierComposition. > get(Suppliers.java:68) > at org.jclouds.rest.suppliers.MemoizedRetryOnTimeOutButNotOn > AuthorizationExceptionSupplier$SetAndThrowAuthorizationExcept > ionSupplierBackedLoader.load(MemoizedRetryOnTimeOutButNotOn > AuthorizationExceptionSupplier.java:73) > at org.jclouds.rest.suppliers.MemoizedRetryOnTimeOutButNotOn > AuthorizationExceptionSupplier$SetAndThrowAuthorizationExcept > ionSupplierBackedLoader.load(MemoizedRetryOnTimeOutButNotOn > AuthorizationExceptionSupplier.java:57) > at com.google.common.cache.LocalCache$LoadingValueReference. > loadFuture(LocalCache.java:3542) > at com.google.common.cache.LocalCache$Segment.loadSync( > LocalCache.java:2323) > at com.google.common.cache.LocalCache$Segment. > lockedGetOrLoad(LocalCache.java:2286) > at com.google.common.cache.LocalCache$Segment.get( > LocalCache.java:2201) > at com.google.common.cache.LocalCache.get(LocalCache.java:3953) > at com.google.common.cache.LocalCache.getOrLoad( > LocalCache.java:3957) > at
Re: Issue with jclouds computeService listNodes() ?
Hi Archana, I don't see any particular reason listNodes would behave differently when using IAM role vs Access Key and Secret Key - Once the Ec2Api is configured to use org.jclouds.aws.domain.SessionCredentials everything should just work. Is listNodes the only failing one? Can you share the stacktrace of a failing call? Could you double check listAssignableLocations() or listImages() with the same IAM role? if they work, can it be related to weird IAM permissions? HTH, Andrea On Wed, Jun 20, 2018 at 8:01 AM archiep...@gmail.com wrote: > Hi All, > I am trying to SSH from one EC2 instance into another using netflix's > simian army. I am using IAM role instead of Access key and Secret key. > Wondering if there is an issue with calling listNodes() when using IAM > role. Any insight on this, or any workaround on the issue is helpful. > > Cheers > Archana >