By using AWS re:Post, you agree to the Terms of Use

Security Identity & Compliance

Securely run your business with the most flexible and secure cloud computing environment available. Benefit from AWS data centers and a network architected to protect your information, applications, and devices. Meet core security requirements, such as data locality, protection, and confidentiality with our comprehensive services and features.

Recent questions

see all
1/18

Debug AWS_IO_FILE_VALIDATION_FAILURE while trying to connect to aws IoT whith custom client certificate

I failed to run the sample code for [basic_connect](https://github.com/aws/aws-iot-device-sdk-cpp-v2/tree/main/samples/mqtt/basic_connect). While running it with the following argument: `basic_connect.exe --client_id "ME" --endpoint "*-ats.iot.eu-west-1.amazonaws.com" --cert "<>/MyCertificate.crt" --key "<>/MyPrivate.key" --verbosity "Debug"` i receive the following output: ``` [DEBUG] [2022-09-29T13:02:54Z] [00001648] [mqtt-client] - client=*: Initalizing MQTT client [DEBUG] [2022-09-29T13:02:56Z] [00001648] [tls-handler] - static: This library was built with Windows 8.1 or later, probing OS to see what we're actually running on. [DEBUG] [2022-09-29T13:02:56Z] [00001648] [tls-handler] - static: We're running on Windows 8.1 or later. ALPN is available. [DEBUG] [2022-09-29T13:02:56Z] [00001648] [tls-handler] - static: This library was built with Windows 8.1 or later, probing OS to see what we're actually running on. [DEBUG] [2022-09-29T13:02:56Z] [00001648] [tls-handler] - static: We're running on Windows 8.1 or later. ALPN is available. [DEBUG] [2022-09-29T13:02:56Z] [00001648] [tls-handler] - static: certificate and key have been set, setting them up now. [INFO] [2022-09-29T13:02:56Z] [00001648] [pki-utils] - static: loading certificate chain with 1 certificates. [ERROR] [2022-09-29T13:03:04Z] [00001648] [pki-utils] - static: no acceptable private key found, error AWS_IO_FILE_VALIDATION_FAILURE [ERROR] [2022-09-29T13:03:04Z] [00001648] [tls-handler] - static: failed to import certificate and private key with error 1038. Client Configuration initialization failed with error aws-c-io: AWS_IO_FILE_VALIDATION_FAILURE, A file was read and the input did not match the expected value ``` I have been trying to follow this AWS_IO_FILE_VALIDATION_FAILURE, and i endup with the following callstack: ``` basic-connect.exe!aws_import_key_pair_to_cert_context(aws_allocator * alloc, const aws_byte_cursor * public_cert_chain, const aws_byte_cursor * private_key, bool is_client_mode, void * * store, const _CERT_CONTEXT * * certs, unsigned __int64 * crypto_provider, unsigned __int64 * private_key_handle) Line 691 C basic-connect.exe!s_ctx_new(aws_allocator * alloc, const aws_tls_ctx_options * options, bool is_client_mode) Line 2010 C basic-connect.exe!aws_tls_client_ctx_new(aws_allocator * alloc, const aws_tls_ctx_options * options) Line 2044 C basic-connect.exe!Aws::Crt::Io::TlsContext::TlsContext(Aws::Crt::Io::TlsContextOptions & options, Aws::Crt::Io::TlsMode mode, aws_allocator * allocator) Line 423 C++ basic-connect.exe!Aws::Iot::MqttClientConnectionConfigBuilder::Build() Line 493 C++ basic-connect.exe!Utils::CommandLineUtils::GetClientConnectionForMQTTConnection(Aws::Iot::MqttClient * client, Aws::Iot::MqttClientConnectionConfigBuilder * clientConfigBuilder) Line 542 C++ basic-connect.exe!Utils::CommandLineUtils::BuildDirectMQTTConnection(Aws::Iot::MqttClient * client) Line 459 C++ basic-connect.exe!main(int argc, char * * argv) Line 41 C++ [External Code] ``` None of the call to `CryptDecodeObjectEx` will succeed in the function `aws_import_key_pair_to_cert_context`. It sounds like there is a problem with my private key which i generated as follow: `openssl req -newkey rsa:4096 -sha256 -nodes -keyout MyPrivate.key -out MyRequest.csr -config MyConfig.cnf` I am not sure to understand what this function is meant to do and what is wrong with my key. I am using win10 with msbuild (tryied in python as well).
2
answers
0
votes
19
views
asked 21 hours ago

DMSStack-DMSRole-xxxx/dms-session-for-replication-engine is not authorized to perform: secretsmanager:GetSecretValue

I'm trying to test endpoint connection from DMS Replication Instance, DMS (3.4.7) RI instance (running in Acnt A) is attempting to get a secret from SecretsManager (running in Acnt B) using VPC Interface endpoint, but errors out with the following. Test Endpoint failed: Application-Status: 1020912, Application-Message: Failed to retrieve secret. Unable to find Secrets Manager secret, Application-Detailed-Message: Unable to find AWS Secrets Manager secret Arn 'arn:aws:secretsmanager:us-east-1:acntBbbbbb:secret:/dmsdemo/aaaaa-<erandomStrng>' The secrets_manager get secret value failed: User: arn:aws:sts::acntAaaaa:assumed-role/DMSStack-DMSRole-zzzzzzz/dms-session-for-replication-engine is not authorized to perform: secretsmanager:GetSecretValue on resource: arn:aws:secretsmanager:us-east-1:acntBbbbbb:secret:/aaaaa-<randomStrng> because no session policy allows the secretsmanager:GetSecretValue action Not retriable error: <AccessDeniedException> User: arn:aws:sts::acntAaaaa:assumed-role/DMSStack-DMSRole-zzzzzzz/dms-session-for-replication-engine is not authorized to perform: secretsmanager:GetSecretValue on resource: arn:aws:secretsmanager:us-east-1:acntBbbbbb:secret:/dmsdemo/aaaaa-<randomStrng>' because no session policy allows the secrets DMSRole { "Version": "2012-10-17", "Statement": [ { "Action": [ "secretsmanager:GetSecretValue", "secretsmanager:DescribeSecret" ], "Resource": "arn:aws:secretsmanager:us-east-1:acntAaaaa:secret:/dmsdemo/aaaaa-<randomStrng>", "Effect": "Allow" }, { "Action": "kms:Decrypt", "Resource": "arn:aws:kms:us-east-1:acnt:key/ddddddddddd", "Effect": "Allow" } ] } Resource Policy on Secret { "Version" : "2012-10-17", "Statement" : [ { "Effect" : "Allow", "Principal" : { "AWS" : [ "arn:aws:iam::acntAaaaaa:root", "arn:aws:iam::acntBbbbbbb:root" ] }, "Action" : [ "secretsmanager:GetSecretValue", "secretsmanager:DescribeSecret" ], "Resource" : "*" } ] } Any thoughts on what was missing in permissions that is restricting the access to secret
0
answers
0
votes
7
views
asked 2 days ago

DescribeFrameworkByUUID permission missing on service-linked role AWSServiceRoleForBackupReports

This is causing CloudTrail to log many access denied attempts, triggering an alarm: ```json { "eventVersion": "1.08", "userIdentity": { "type": "AssumedRole", "principalId": "xxxxxxxxxxxxxxxxxxx:StorageDescribeFrameworkUUID", "arn": "arn:aws:sts::xxxxxxxxxxxxxxxxxxx:assumed-role/AWSServiceRoleForBackupReports/StorageDescribeFrameworkUUID", "accountId": "xxxxxxxxxxxxxxxxxxx", "accessKeyId": "xxxxxxxxxxxxxxxxxxx", "sessionContext": { "sessionIssuer": { "type": "Role", "principalId": "xxxxxxxxxxxxxxxxxxx", "arn": "arn:aws:iam::xxxxxxxxxxxxxxxxxxx:role/aws-service-role/reports.backup.amazonaws.com/AWSServiceRoleForBackupReports", "accountId": "xxxxxxxxxxxxxxxxxxx", "userName": "AWSServiceRoleForBackupReports" }, "webIdFederationData": {}, "attributes": { "creationDate": "2022-09-28T08:56:37Z", "mfaAuthenticated": "false" } }, "invokedBy": "reports.backup.amazonaws.com" }, "eventTime": "2022-09-28T08:56:37Z", "eventSource": "backup.amazonaws.com", "eventName": "DescribeFrameworkByUUID", "awsRegion": "ca-central-1", "sourceIPAddress": "reports.backup.amazonaws.com", "userAgent": "reports.backup.amazonaws.com", "errorCode": "AccessDenied", "requestParameters": null, "responseElements": null, "requestID": "xxxxxxxxxxxxxxxxxxx", "eventID": xxxxxxxxxxxxxxxxxxx", "readOnly": true, "eventType": "AwsApiCall", "managementEvent": true, "recipientAccountId": "xxxxxxxxxxxxxxxxxxx", "eventCategory": "Management" } ``` It is impossible to delete the role: ``` Errors during deleting roles. Role AWSServiceRoleForBackupReports not deleted. There are resources that rely on this role. ``` And it is not possible to add custom permissions to the service-linked role. It does not seem to be possible to configure a custom role for the backup reports either. What can I do ?
0
answers
0
votes
16
views
asked 2 days ago

Popular users

see all
1/18

Learn AWS faster by following popular topics

1/1