search

aws / amazon-ssm-agent

An agent to enable remote management of your EC2 instances, on-premises servers, or virtual machines (VMs).
https://aws.amazon.com/systems-manager/
Apache License 2.0
1.03k stars 323 forks source link

Linux domainjoin fails with "Failed: Cannot find parent directory Id" #461

Open fleetcaptain opened 1 year ago

fleetcaptain commented 1 year ago

This issue may be related to #418.

I'm testing AWS Directory Services and getting the error "Failed: Cannot find parent directory Id" when trying to use the aws-domainjoin plugin in Systems Manager.

The aws_domainjoin.sh script at https://github.com/aws/amazon-ssm-agent/blob/mainline/agent/plugins/domainjoin/domainjoin_unix_script.go has function get_servicecreds() which looks like:

get_servicecreds() { SECRET_ID="${SECRET_ID_PREFIX}/$DIRECTORY_ID/seamless-domain-join" SECRET_VALUE=$($AWSCLI secretsmanager get-secret-value --secret-id "$SECRET_ID" --region $REGION --query "SecretString" --output text 2>/dev/null) if [ $? -ne 0 ]; then PARENT_DIRECTORY_ID=$($AWSCLI ds describe-directories --region $REGION --query "DirectoryDescriptions[?DirectoryId =='$DIRECTORY_ID'].OwnerDirectoryDescription.DirectoryId | [0]" | sed 's/"//g') if [ $? -ne 0 ] || [ -z "$PARENT_DIRECTORY_ID" ] || [ "$PARENT_DIRECTORY_ID" = null ]; then echo "Failed: Cannot find parent directory Id" exit 1 fi PARENT_ACCOUNT_ID=$($AWSCLI ds describe-directories --region $REGION --query "DirectoryDescriptions[?DirectoryId =='$DIRECTORY_ID'].OwnerDirectoryDescription.AccountId | [0]" | sed 's/"//g') if [ $? -ne 0 ] || [ -z "$PARENT_ACCOUNT_ID" ] || [ "$PARENT_ACCOUNT_ID" = null ]; then echo "Failed: Cannot find parent account Id" exit 1 fi SECRET_ID="arn:aws:secretsmanager:${REGION}:${PARENT_ACCOUNT_ID}:secret:aws/directory-services/${PARENT_DIRECTORY_ID}/seamless-domain-join" SECRET_VALUE=$($AWSCLI secretsmanager get-secret-value --secret-id "$SECRET_ID" --region $REGION --query 'SecretString' --output text 2>/dev/null) if [ $? -ne 0 ] || [ -z "$SECRET_VALUE" ]; then echo "***Failed: aws secretsmanager get-secret-value" exit 1 fi fi

If I understand correctly, the "***Failed: Cannot find parent directory Id" message is generated if this AWS cli command fails: AWSCLI ds describe-directories --region $REGION --query "DirectoryDescriptions[?DirectoryId =='$DIRECTORY_ID'].OwnerDirectoryDescription.DirectoryId | [0]" | sed 's/"//g'

If I run a subset of that command manually: aws ds describe-directories --region us-east-2 ...the JSON value OwnerDirectoryDescription does not seem to appear in the output. Did describe-directories change the output format recently?

Wondering if I missed something else.

smhmhmd commented 1 year ago

@fleetcaptain , If you have root access you can go to the corresponding /var/lib directory and run the aws_domainjoin.sh yourself with parameters and paste the error. The parameters can be seen in /var/log/amazon/ssm/amazon.log I am assuming you have setup secrets manager access.

smhmhmd commented 1 year ago

@fleetcaptain

If I run a subset of that command manually: aws ds describe-directories --region us-east-2 ...the JSON value OwnerDirectoryDescription does not seem to appear in the output. Did describe-directories change the output format recently

Works for me

% aws ds describe-directories --region us-east-2
{
    "DirectoryDescriptions": [
        {
fleetcaptain commented 1 year ago

Thanks, I'll try running the script manually and see what happens.

fleetcaptain commented 1 year ago

Running the command manually appears to have resolved my issue. Thank you!