search

aws / aws-sdk

Landing page for the AWS SDKs on GitHub
https://aws.amazon.com/tools/
Other
68 stars 12 forks source link

AuthorizerConfigurationException when calling GetLandingZone operation #658

Closed jusdino closed 6 months ago

jusdino commented 7 months ago

Describe the bug

There seems to be something wrong with either the ControlTower cli or api when using the GetLandingZone operation as the cli raises an AuthorizerConfigurationException for a simple query. I tried using both AWS SSO and an old fashioned IAM user just to see if it was specific to the authentication path. I didn't include it in the reproduction steps, but I tried this on two separate aws management accounts / landing zones with the same result.

Expected Behavior

To return the landing zone details like demonstrated in the cli documentation.

Current Behavior

The CLI returns an exception when I try to use aws controltower get-landing-zone.

Reproduction Steps

$ aws configure sso
SSO session name (Recommended): aws-justin
Attempting to automatically open the SSO authorization page in your default browser.
If the browser does not open or you wish to use a different device to authorize this request, open the following URL:

https://device.sso.us-east-1.amazonaws.com/

Then enter the code:

ABCD-EFGH
There are 4 AWS accounts available to you.
Using the account ID 012345678901
There are 5 roles available to you.
Using the role name "AWSAdministratorAccess"
CLI default client Region [None]: us-east-1
CLI default output format [None]:
CLI profile name [AWSAdministratorAccess-012345678901]: aws-justin-management-admin

To use this profile, specify the profile name using --profile, as shown:

aws s3 ls --profile aws-justin-management-admin
$ export AWS_PROFILE=aws-justin-management-admin
$ aws sts get-caller-identity
{
    "UserId": "AR0AFOOFOOFOOFOOFOOFO:justin",
    "Account": "012345678901",
    "Arn": "arn:aws:sts::012345678901:assumed-role/AWSReservedSSO_AWSAdministratorAccess_foofoofoofoofoof/justin"
}
$ aws controltower list-landing-zones
{
    "landingZones": [
        {
            "arn": "arn:aws:controltower:us-east-1:012345678901:landingzone/ABCDEFGHIJKLMNOP"
        }
    ]
}
$ aws controltower get-landing-zone --landing-zone-id 'ABCDEFGHIJKLMNOP'

An error occurred (AuthorizerConfigurationException) when calling the GetLandingZone operation (reached max retries: 2): None
$ aws controltower get-landing-zone --landing-zone-id 'arn:aws:controltower:us-east-1:012345678901:landingzone/ABCDEFGHIJKLMNOP'

An error occurred (InternalServerException) when calling the GetLandingZone operation (reached max retries: 2):
$ unset AWS_PROFILE
$ export AWS_DEFAULT_REGION=us-east-1
$ export AWS_ACCESS_KEY_ID=AKIAFOOFOOFOOFOOFOOF
$ export AWS_SECRET_ACCESS_KEY=afoofoofoo
$ aws sts get-caller-identity
{
    "UserId": "AIDAFOOFOOFOOFOOFOOFO",
    "Account": "012345678901",
    "Arn": "arn:aws:iam::012345678901:user/delete-me"
}
$ aws controltower list-landing-zones
{
    "landingZones": [
        {
            "arn": "arn:aws:controltower:us-east-1:012345678901:landingzone/ABCDEFGHIJKLMNOP"
        }
    ]
}
$ aws controltower get-landing-zone --landing-zone-id 'ABCDEFGHIJKLMNOP'

An error occurred (AuthorizerConfigurationException) when calling the GetLandingZone operation (reached max retries: 2): None
$ aws controltower get-landing-zone --landing-zone-id 'arn:aws:controltower:us-east-1:012345678901:landingzone/ABCDEFGHIJKLMNOP'

An error occurred (InternalServerException) when calling the GetLandingZone operation (reached max retries: 2):

Possible Solution

No response

Additional Information/Context

No response

CLI version used

aws-cli/2.14.2 Python/3.11.6 Linux/6.2.0-36-generic exe/x86_64.ubuntu.22 prompt/off

Environment details (OS name and version, etc.)

Ubuntu 22.04.3 LTS

RyanFitzSimmonsAK commented 7 months ago

Hi @jusdino, thanks for reaching out. There's actually two issues going on here.

An error occurred (InternalServerException)... has already had a fix deployed, and might already be functional depending on what region you're using.

An error occurred (AuthorizerConfigurationException)... is caused by providing an identifier rather than an ARN as the --landing-zone-id, and the issue is that it's not throwing the correct error. The service team is aware of this behavior.

I'll post an update here when I have more information to share. In the meantime, as this is a service team issue, I'm going to move it to our cross-SDK repository.

Ticket #s for internal reference : V1132415995, V1136701386

jusdino commented 7 months ago

Awesome! I just verified that I can indeed use the GetLandingZone operation with the full landing zone arn, now.

RyanFitzSimmonsAK commented 7 months ago

An error occurred (InternalServerException)... should be resolved in all regions at this point.

RyanFitzSimmonsAK commented 6 months ago

GetLandingZone has been fixed to accept either ARNs (arn:aws:controltower:us-east-1:222222333333:landingzone/ABCDEFGHIJK) or landing zone identifiers (ABCDEFGHIJK). Closing this issue.

github-actions[bot] commented 6 months ago

This issue is now closed.

Comments on closed issues are hard for our team to see. If you need more assistance, please either tag a team member or open a new issue that references this one. If you wish to keep having a conversation with other community members under this issue feel free to do so.