Comments (22)
I have fixed the timeout problem by sending the requests to https://dynamodb.eu-west-1.amazonaws.com:443/ instead.
Now I have a different problem. My requests failed to authenticate:
{error,
{<<\"UnrecognizedClientException\">>,
<<\"The security token included in the request is invalid.\">>}}
Debugging data:
url:
"https://dynamodb.eu-west-1.amazonaws.com:443/"
headers:
[{"Authorization",
"AWS4-HMAC-SHA256 Credential=A....A/20150628/eu-west-1/dynamodb/aws4_request,SignedHeaders=content-type;host;x-amz-content-sha256;x-amz-date;x-amz-target,Signature=98........................c1"},
{"host", "dynamodb.eu-west-1.amazonaws.com"},
{"x-amz-date", "20150628T071505Z"},
{"x-amz-target", "DynamoDB_20120810.CreateTable"},
{"content-type", "application/x-amz-json-1.0"},
{"x-amz-content-sha256", ""}]
config:
%{access_key_id: "A.......A",
host: "dynamodb.eu-west-1.amazonaws.com",
http_client: HTTPoison,
json_codec: Poison,
port: "443",
region: "eu-west-1",
scheme: "https://",
secret_access_key: "k.....c"}
service:
:dynamodb
I have retrieved the key and the secret by curling http://169.254.169.254/latest/meta-data/iam/security-credentials/my_role and they are the same as the ones in the config. So that looks correct.
Any hints on what could be the problem?
from ex_aws.
Hey sorry I'm just not getting to this. So the issue related to the ports is partially my fault, partially not. HTTPs uses port 443 not port 80, so it isn't surprising that 80 didn't work. You could actually just leave off specifying the port entirely because then the URL would be simply "https://dynamodb.eu-west-1.amazonaws.com"
and that will route to the correct port.
Basically, if the port is a numerical 80
then I don't put it as part of the URL at all. This is why the config may say port 80 for https but still work anyway, it gets stripped when the URLs are generated. This is clearly confusing behavior and I plan on doing something about it.
Unfortunately I'm not sure why that's the error you're getting. Try specifying the port as a numerical 80
which will drop it from the URL. I wonder if including the port number is munging up the AWS request signing process.
from ex_aws.
Hi!
Thanks for your reply.
I have specified the port as numerical 80 in config.exs as well as schema "http://". The url sent to ExAws.Request is now "http://dynamodb.eu-west-1.amazonaws.com/". So no port there as you said. Still getting the same error though :/
Is there anything else that I could debug that could hint us what the problem is?
from ex_aws.
Hey, I didn't intend for you to change the schema. HTTPoison (the http client library) is smart enough to use the correct port when the request is actually sent via HTTP. I simply want the port out of the signing process. Try with a schema of "https://" and a port of numerical 80.
On a different angle, the error you're getting seems to have to do with authentication, but isn't about signing errors. This seems to indicate that there may be permission issues with the IAM credentials. Have you used the AWS IAM simulator to determine if that role is able to execute the requests you want?
from ex_aws.
The IAM simulator says the operation is allowed. All DynamoDB operations are allowed by my policy. Furthermore, I have sent such requests from both inside the EC2 instance and from inside an ECS container via awscli.
from ex_aws.
Awesome good to know, we'll figure it out. Any luck with [schema: "https://", port: 80]
?
from ex_aws.
Just tried it, same problem.
from ex_aws.
Ok. I haven't had a chance to test much on the EU region, I'll ssh into an instance this afternoon and see if I can reproduce and determine the issues.
from ex_aws.
Thanks for your support!
I have tested running my Elixir application in an Ubuntu Server EC2 instance instead of inside an ECS container and the problem remains.
from ex_aws.
Interesting news.
Just did another test where, before starting the Elixir application, I run
export AWS_ACCESS_KEY_ID=A...L
export AWS_SECRET_ACCESS_KEY=b.....a
using the key and secret of my admin account. This worked. The requests to dynamodb worked just fine!
I have also tried exporting those environment variables with the key and secret I get from:
curl http://169.254.169.254/latest/meta-data/iam/security-credentials/myrole
This doesn't work. These credentials are actually the ones fetched by your library if I don't export the environment variables. So the problem seems to be with the key and the secret used.
from ex_aws.
Well that's certainly a relief on my end. Only thing I can recommend is to fiddle around with with the IAM simulator until you can reproduce the issue with the role / keys. Best of luck!
from ex_aws.
This is very strange.
Without running aws configure
, this works:
aws dynamodb create-table --region eu-west-1 --table-name test_table --attribute-definitions AttributeName=uid,AttributeType=S --key-schema AttributeName=uid,KeyType=HASH --provisioned-throughput ReadCapacityUnits=1,WriteCapacityUnits=1
If this works, shouldn't the requests coming from ex_aws also work?
from ex_aws.
Use set
to determine if your environment variables are still set. aws
will use those first.
from ex_aws.
I run this on a fresh new EC2 instance. I have not copied my admin credentials to this one.
from ex_aws.
So let me see if I can recap:
aws dynamodb $stuff
: workscurl myrole
+ setting environment variables based on that result: doesn't work- ExAws configured to use instance_role: doesn't work
The fact that the second option doesn't work is super weird. Let me see if I can reproduce.
from ex_aws.
The recap is correct.
My EC2 instance is running ubuntu-trusty-14.04-amd64-server-20150325 (ami-47a23a30).
This EC2 instance has a role with the "Managed Policy" "AmazonDynamoDBFullAccess".
from ex_aws.
I'm a n00b in AWS, so I might be misunderstanding this statement, but it say that we should include a session token, which we don't seem to do.
"When you make a call using temporary security credentials, the call must include a session token, which is returned along with those temporary credentials. AWS uses the session token to validate the temporary security credentials."
http://docs.aws.amazon.com/STS/latest/UsingSTS/using-temp-creds.html
from ex_aws.
You may well be right there. This hasn't been a feature I've had a chance to test much I'm afraid. Investigating.
from ex_aws.
I've been able to reproduce. I believe you're correct about the cause. Fixing.
from ex_aws.
Cool!
Yes, I think we need to add a header called X-Amz-Security-Token
with the value of the Token
field in the security credentials.
from ex_aws.
This should be fixed on master now. Will do a release shortly. I've tested it myself, but please confirm that it looks ok on your end as well.
from ex_aws.
It works!!! 😃
Thank you so much for your dedication Ben.
from ex_aws.
Related Issues (20)
- Unhandled error case from do_request
- CaseClauseError: no case clause matching: {:error, "timeout"} in ExAws.Request.request_and_retry/7 HOT 1
- Configure SSL/TLS Options
- Default region is more harmful than helpful
- Make types in `ExAws.Request` public
- Return type mismatch for request!
- Support for assuming role via Web Identity Tokens HOT 1
- S3 objects with `?` in key cannot be queried HOT 1
- AccesDenied - ExAws Request Error! HOT 2
- process attempted to call itself HOT 4
- FSx endpoints HOT 1
- With sso-session config "Required key: :secret_access_key must be a string, but instead is..." HOT 6
- S3 object upload request failing for different regions HOT 6
- 2.4.3 release? HOT 1
- httpotion retired HOT 3
- Add support for the af-south-1 for KMS. HOT 1
- High memory usage HOT 4
- Missing S3 support for eu-central-2 HOT 1
- Semver concerns HOT 3
- The authorization header is malformed; a non-empty Access Key (AKID) must be provided in the credential. HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from ex_aws.