By using AWS re:Post, you agree to the Terms of Use

Unanswered Questions tagged with Security Identity & Compliance

Sort by most recent

Browse through the questions and answers listed below or filter and sort to narrow down your results.

Unable to execute HTTP request: Connect to sts.us-east-1.amazonaws.com:443 [sts.us-east-1.amazonaws.com/209.54.177.185] failed: Connect timed out

Sometimes I am getting the below error from sts while API call. I am not able to find the root cause of this error. ``` Unable to execute HTTP request: Connect to sts.us-east-1.amazonaws.com:443 [sts.us-east-1.amazonaws.com/209.54.177.185] failed: Connect timed out ``` Stack Trace JSON ``` { "message": "Unable to execute HTTP request: Connect to sts.us-east-1.amazonaws.com:443 [sts.us-east-1.amazonaws.com/209.54.177.185] failed: Connect timed out", "source": "JavaSDK", "stackTrace": "software.amazon.awssdk.core.exception.SdkClientException$BuilderImpl.build(SdkClientException.java:102)", "cause": { "message": "Connect to sts.us-east-1.amazonaws.com:443 [sts.us-east-1.amazonaws.com/209.54.177.185] failed: Connect timed out", "source": "JavaSDK", "stackTrace": "org.apache.http.impl.conn.DefaultHttpClientConnectionOperator.connect(DefaultHttpClientConnectionOperator.java:151)", "cause": { "message": "Connect timed out", "source": "JavaSDK", "stackTrace": "java.base/sun.nio.ch.NioSocketImpl.timedFinishConnect(NioSocketImpl.java:546)\njava.base/sun.nio.ch.NioSocketImpl.connect(NioSocketImpl.java:597)", "cause": null, "applicationFailureInfo": { "type": "java.net.SocketTimeoutException", "nonRetryable": false, "details": null } }, "applicationFailureInfo": { "type": "org.apache.http.conn.ConnectTimeoutException", "nonRetryable": false, "details": null } }, "applicationFailureInfo": { "type": "software.amazon.awssdk.core.exception.SdkClientException", "nonRetryable": false, "details": null } } ```
0
answers
0
votes
3
views
asked 2 hours ago

SDK and ChainableTemporaryCredentials

Hi, I already posted my problem in: https://stackoverflow.com/questions/73702466/chainabletemporarycredentials-getpromise-and-missing-credentials-in-config-if-u Basically it is the following. When I use ``` const credentials = new ChainableTemporaryCredentials({ params: { RoleArn: 'arn:aws:iam::${this.accountId}:role/${this.targetRoleName}', RoleSessionName: this.targetRoleName, }, masterCredentials: new WebIdentityCredentials({ RoleArn: 'arn:aws:iam::<proxyAccountId>:role/<proxyRoleName>', RoleSessionName: this.proxyRoleName, WebIdentityToken: token, }), }) await credentials.getPromise() ``` with `token` a a token received from GCP-cloud do I still need some kind of AWS_ACCESS_KEY_ID/AWS_SECRET_ACCESS_KEY in my environment? I don't think so, since the idea of the token is to grant access exactly without such credentials. Right? (In the codeblock above I had to manipulate some charaters because the code-template here in the forum had some difficulties withe original 1:1 code...) At runtime I get always an error message: `Missing credentials in config, if using AWS_CONFIG_FILE, set AWS_SDK_LOAD_CONFIG=1` I think I have not to use AWS_CONFIG_FILE: My application runs in GCP and just want access AWS via STS. My token looks good so far as I would assess: ``` { "aud": <here my email address of the service account in GCP>, "azp": "21 digit number", "email": <same email as under "aud">, "email_verified": true, "exp": <10 digit number>, "iat": <10 digit number>, "iss": "https://accounts.google.com", "sub": "<same number as under azp>" } ``` Are my expectations wrong? What is the reason for the error message? Best regards Thomas
0
answers
0
votes
5
views
asked 3 hours ago

AuthorizedKeysCommand /usr/share/ec2-instance-connect/eic_run_authorized_keys <username> SHA256:<long hex string> failed, status 22

We use Ubuntu 20.04 (`ami-0c8858c090152d291`) as the basis for a production ecommerce stack, and I need to move users around as part of a handover. In order to do this I am trying to ssh in to the instance using the original ami-configured instance user and AWS generated key, so I can move the user I normally log in as. This fails with the subject error in `/var/log/auth.log`. I have reconfirmed keys and user many times obviously. This appears to be related to [AuthorizedKeysCommand fails on Ubuntu 20.04](https://github.com/widdix/aws-ec2-ssh/issues/157), which blames the package `ec2-instance-connect`. We keep instances up to date, so I suspect this package was installed as part of a post-install security update. The above-linked GitHub thread suggests: ``` # rm /usr/lib/systemd/system/ssh.service.d/ec2-instance-connect.conf # systemctl daemon-reload ``` I have tried the above unsuccessfully. Even after removing `ec2-instance-connect.conf` and issuing either `systemctl daemon-reload` or `kill -s HUP <sshd pid>` the sshd process is *still* running using the `ec2-instance-connect.conf` settings: ``` sshd: /usr/sbin/sshd -D -o AuthorizedKeysCommand /usr/share/ec2-instance-connect/eic_run_authorized_keys %u %f -o AuthorizedKeysCommandUser ec2-instance-connect [listener] 0 of 10-100 startups ``` For obvious reasons I am reluctant to tinker more extensively with the sshd configuration on a production server without hearing from the community. It seems rather questionable (to put it mildly) for a "security update package" to hijack the normal sshd auth process, especially with no well publicized info, only to come to light when I actually have to work on it. The package listing says > Configures ssh daemon to accept EC2 Instance Connect ssh keys -but what it fails to add is "... and may disable other keys". We surely cannot be the first ones to encounter this problem??
0
answers
0
votes
41
views
asked 2 months ago