STS temporary credentials: "Access Key Id you provided does not exist"

0

Hello everyone,
I'm running ECS Fargate tasks and they need to PUT files to an S3 bucket.
I decided to use STS temporary credentials instead of just hardcoding long-lasting credentials in the docker image.

So, I start by requesting this url in bash.
json=$(curl "http://169.254.170.2$AWS_CONTAINER_CREDENTIALS_RELATIVE_URI")
It works, it returns this json output:

{
 "RoleArn":"The correct ARN of the Task Role. This role has the s3:PutObject permission.",
 "AccessKeyId":"ASIA4H7NO7.....",
 "SecretAccessKey":"Some string",
 "Token":"Some long string"
}

Now I use the AccessKeyId and SecretAccessKey I got to perform a V4 signature so I can PUT the file to S3.
https://docs.aws.amazon.com/AmazonS3/latest/API/sig-v4-authenticating-requests.html

I get this response, do you have any idea why?

<?xml version="1.0" encoding="UTF-8"?>
<Error>
<Code>InvalidAccessKeyId</Code>
<Message>The AWS Access Key Id you provided does not exist in our records.</Message>
<AWSAccessKeyId>ASIA4H7NO7...</AWSAccessKeyId>
<RequestId>AE2074679...</RequestId>
<HostId>Some long string</HostId>
</Error>

How come it says it does not exist? It's the Access key AWS gave me.

I'm not using SDKs, just scripting some bash which is indeed working fine when I use long-lasting credentials (e.g the AKIA access key).
On a side note... what's with the magic IP 169.254.170.2? Can't I use some host name?

Thanks in advance.

asked 3 years ago321 views
1 Answer
0

I realized I should add and sign the x-amz-security-token header as well.
https://docs.aws.amazon.com/AmazonS3/latest/dev/RESTAuthentication.html#UsingTemporarySecurityCredentials

Problem solved!

answered 3 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions