By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

EC2 ImageBuilder pipeline failing with "UnrecognizedClientException: The security token included in the request is invalid."

0

During the execution of the step "ApplyBuildComponents" within the EC2 ImageBuilder pipeline, the process initiates a GetComponent action but subsequently fails. The failure details are logged in the Systems Manager, traced back to the EC2 instance responsible for building the Docker image:

"executionId": "088cdba5-2868-11ee-ac08-00155df9ecbd",
"status": "failed",
"failedStepCount": 0,
"executedStepCount": 0,
"ignoredFailedStepCount": 0,
"failureMessage": "Failed to download the EC2 Image Builder Component 'arn:aws:imagebuilder:us-east-1:<account-id>:component/update-windows/1.0.1/1'. Error - operation error imagebuilder: GetComponent, https response error StatusCode: 403, RequestID: 62993d71-605c-44b5-92e6-f7d63ab0b36d, API error UnrecognizedClientException: The security token included in the request is invalid.",
"logUrl": ""

The component itself is an AWS managed component. I have no trouble issuing the GetComponent for the same component from AWS CLI. No matter what components are specified in the container recipe it results in the same error.

The identical error message is present in the S3 logs for the pipeline. However, no additional pertinent information appears to be available. The workflow from the pipeline only reveals that a RunCommand was sent, and it provides the command-id, which subsequently links to the EC2 instance executing the Docker build (generating the output as mentioned above). The RunCommand event can be traced in CloudTrail, and the command-id aligns. Other events within the command, like downloading the base image layers, are also visible in CloudTrail.

I've exhaustively scrutinized CloudTrail logs and even imported them into Athena for sophisticated querying. However, I couldn't locate any events that incorporate the requestid mentioned in the error. So, I'm unable to diagnose the root cause of the error.

Help appreciated.

Topics
Compute
Tags
EC2 Image Builder
Language
English
thxkiwi
asked 9 months ago601 views
2 Answers
0

Hi, the error is 403 (not allowed). It means that you EC2 builder instance execution role is missing permissions to execute properly. You should check the corresponding role policy to add the required authorizations.

As said in https://docs.aws.amazon.com/imagebuilder/latest/userguide/troubleshooting.html#ts-access-denied, it often comes from missing S3 permissions to write objects on the bucket where produced artifacts need to be written

The pipeline build fails with "AccessDenied: Access Denied status code: 403".

Cause
Possible causes include:

The instance profile does not have the required permissions to access APIs or component resources.

The instance profile role is missing permissions that are required for logging to Amazon S3. Most commonly, this occurs when the instance profile role does not have PutObject permissions for your S3 buckets.

Best, Didier

profile pictureAWS
EXPERT
Didier_Durand
answered 9 months ago
  • thxkiwi
    9 months ago

    Thanks for taking the time to give an answer.

    I'm quite confused how S3 is involved given the error originates from the pipeline attempting to download a build component (AWS code, not mine), and given the pipeline step involved (ApplyBuildComponents), what would seem to me to be inside a container during the docker build itself; "Failed to download the EC2 Image Builder Component 'arn:aws:imagebuilder:us-east-1:627945338248:component/update-windows/1.0.1/1'.

    Which S3 bucket would be involved here and under which role exactly; AWSServiceRoleForImageBuilder or the IAM role for the infrastructure configuration?

    While S3 logs are involved in the pipeline I already get information written to these logs so where else is S3 involved that needs PutObject?

    Couldn't a general HTTP 403 (Forbidden) legitimately be due to what the actual error text says "API error UnrecognizedClientException: The security token included in the request is invalid." and not at all related S3?

0

Hello,
Thank you for your query!

The error message you have received usually indicates that the instance profile mentioned in Infrastructure configuration of the pipeline does not have the necessary permissions to download the components from the S3 bucket. S3 buckets are involved to download the AWS managed components using the 'GetComponent' API call.
Hence, EC2 instance responsible for building the image should have access to the S3 bucket and to 'GetComponent' API which is needed to download the build component.

Therefore, you can check the corresponding role policies to ensure that the required permissions are granted.
However, if you still continue to face this issue, we would be required to perform resource level troubleshooting to investigate further on your issue. Hence please create a support case with AWS Premium Support and we will be glad to assist you.

Let me know if you have any further queries. Thank you for your interest in re:Post community.
Have a great day!

AWS
SUPPORT ENGINEER
rePost-User-5627553
answered 9 months ago
  • thxkiwi
    9 months ago

    Given that this specific component in question is an AWS managed component, how does one know which bucket?

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content