Invalid security token in AWS request about elasticsearch-client HOT 11 CLOSED

Are you sure that your credentials provider is actually providing the creds? That error indicates that the request was signed properly but that the token was bogus (or missing).

This issue seems similar.

from elasticsearch-client.

Thanks for the quick reply. Yep, I printed out the access key ID and secret key from awsCredentials, they were both populated with the expected values. I'm going to try and dump complete HTTP requests from both the python and scala code, and see if there are any obvious differences.

from elasticsearch-client.

I should have mentioned I'm running this code inside AWS Lambda. Not sure if related, but it seems the issue is to do with another HTTP header, x-amz-security-token. The python code is populating that header from an environment variable, AWS_SECURITY_TOKEN. If I remove the header from the python code I get a similar 403 error.

I'm going to look into attaching this header to the HTTP request in elasticsearch-client and see if that fixes the problem.

from elasticsearch-client.

Ah cool -- you're almost certainly the first person to try to use this from
Lambda. We're using the Authorization header currently. You could try
adding the x-amz-security-token header to the list at
https://github.com/SumoLogic/elasticsearch-client/blob/master/elasticsearch-aws/src/main/scala/com/sumologic/elasticsearch/util/AwsRequestSigner.scala#L49
to
see if that does the trick.

On Wed, Apr 20, 2016 at 5:25 PM Ben Barnes [email protected] wrote:

I should have mentioned I'm running this code inside AWS Lambda. Not sure
if related, but it seems the issue is to do with another HTTP header,
x-amz-security-token. The python code is populating that header from an
environment variable, AWS_SECURITY_TOKEN. If I remove the header from the
python code I get a similar 403 error.

I'm going to look into attaching this header to the HTTP request in
elasticsearch-client and see if that fixes the problem.

—
You are receiving this because you commented.

Reply to this email directly or view it on GitHub
#19 (comment)

from elasticsearch-client.

It worked! I added the following function to AwsRequestSigner:

val xAmzSecurityToken = "X-Amz-Security-Token"
private def addAmzToken(httpRequest: HttpRequest): HttpRequest = {
  val amzToken = sys.env.get("AWS_SESSION_TOKEN")
  amzToken map (token => {
    httpRequest.withHeaders(RawHeader(xAmzSecurityToken, token) :: httpRequest.headers)
  }) getOrElse httpRequest
}

Then, in AwsRequestSigner::withAuthHeader I call it on withDateAndHost:
val withAmzToken = addAmzToken(withDateAndHost)

This works in my case, but I don't know how useful it would be in general. Would you be interested in a pull request? It's also a little hard to unit test as-is, since the function requires environment variables to be set.

from elasticsearch-client.

Hmm. For a PR we'd need to remove the environment variable dep. I'll think
about it -- I'd like it to work out of the box for your use case.

On Thu, Apr 21, 2016, 4:46 PM Ben Barnes [email protected] wrote:

It worked! I added the following function to AwsRequestSigner:

val xAmzSecurityToken = "X-Amz-Security-Token"
private def addAmzToken(httpRequest: HttpRequest): HttpRequest = {
val amzToken = sys.env.get("AWS_SESSION_TOKEN")
amzToken map (token => {
httpRequest.withHeaders(RawHeader(xAmzSecurityToken, token) :: httpRequest.headers)
}) getOrElse httpRequest
}

Then, in AwsRequestSigner::withAuthHeader I call it on withDateAndHost:
val withAmzToken = addAmzToken(withDateAndHost)

This works in my case, but I don't know how useful it would be in general.
Would you be interested in a pull request? It's also a little hard to unit
test as-is, since the function requires environment variables to be set.

—
You are receiving this because you commented.

Reply to this email directly or view it on GitHub
#19 (comment)

from elasticsearch-client.

Alright, no worries. I'll close this issue then.

from elasticsearch-client.

Did a bit of research --

I think the best way to do this would be to pass in an AWSSessionCredentials (subclass of AWSCredentials) into the constructor.

In the request signer, match on the credentials object to see if it is actually AWSSessionCredentials, and if so send the session token.

I believe the credentials you're sending are already AWSSessionCredentials so the only change would need to be library side.

We'd certainly accept a PR for this if you'd like to code it 👍

from elasticsearch-client.

Ah, neat! Thanks for looking into that. I'll give it a go, though I may not be able to spend much time on it for the next few days.

from elasticsearch-client.

Hey guys, im actually getting the same issue as @chronon-io, difference being I'm running the application from a normal EC2 instance.

Ive a code setup as follows:

val credentialsProviderChain = new DefaultAWSCredentialsProviderChain()
val region = Option(Regions.getCurrentRegion).getOrElse(Region.getRegion(Regions.EU_WEST_1))
val signer = Some(new ExperimentalAwsRequestSigner(credentialsProviderChain.getCredentials, region.getName, "es"))

new RestlasticSearchClient(new StaticEndpoint(Endpoint(host, port)), signer)

The response im getting back is as follows:

[debug] c.s.e.r.RestlasticSearchClient$ - Got Es response: 403 Forbidden
[warn] c.s.e.r.RestlasticSearchClient$ - Failure response: {"message":"The security token included in the request is invalid."}
[warn] c.s.e.r.RestlasticSearchClient$ - Failing request: {"query":{"term":{"_id":"a1195665-53b6-4e97-bde6-e7b918e92525"}}}

from elasticsearch-client.

What is the ExperimentalAwsRequestSigner? By the way, #55 reported that he upgraded to 1.0.24 and it worked.

from elasticsearch-client.