Open rpatrick00 opened 3 years ago
Hi @rpatrick00,
Good afternoon.
At first glance this appears to be an IAM policy issue.
Could you please try using -ProfileName argument to see if it works. For example,
Get-EC2Instance -ProfileName ode-gov-engineer
Also try checking the information provided at Troubleshooting IAM Assume Role Errors and see if setting up the Trust policy helps.
Thanks, Ashish
Will do. If it wasn’t clear, please note that the same credentials/profile works fine with the AWS CLI on the same machine/user so I am somewhat skeptical this has anything to do with the policy.
Hi @ashishdhingra,
So I read the troubleshooting article and am convinced that the policy is correct. When I log into the AWS Console and Switch Roles into the role, it works. As I showed before, the python-based AWS CLI is also working. Just for reference, the policy associated with my IAM user in the master account is:
{
"Version": "2012-10-17",
"Statement": [
{
"Action": "sts:AssumeRole",
"Resource": [
"arn:aws-us-gov:iam::XXXXXXXXXXXX:role/Sandbox_Administrator"
],
"Effect": "Allow",
"Sid": "OdysseyDev"
}
]
}
My ~\.aws\config file looks like this:
[default]
region = us-east-1
[govcloud]
region = us-gov-west-1
[profile ody-gov-engineer]
role_arn = arn:aws-us-gov:iam::XXXXXXXXXXXX:role/Sandbox_Administrator
source_profile = govcloud
region = us-gov-west-1
and my ~\.aws\credentials file looks like this:
[default]
aws_access_key_id = <redacted>
aws_secret_access_key = <redacted>
[govcloud]
aws_access_key_id = <redacted>
aws_secret_access_key = <redacted>
I created an EC2 instance with the console just to show that the AWS CLI is working and the AWS Powershell API is not. Adding the -ProfileName to Get-EC2Instance did not change the error.
PS C:\> aws ec2 describe-instances --profile ody-gov-engineer
{
"Reservations": [
{
"Groups": [],
"Instances": [
{
"AmiLaunchIndex": 0,
"ImageId": "ami-5f58733e",
"InstanceId": "i-064ee401d59a5c936",
"InstanceType": "t3a.large",
"KeyName": "snaplex-devops-key",
"LaunchTime": "2020-08-05T17:27:03+00:00",
"Monitoring": {
"State": "disabled"
},
"Placement": {
"AvailabilityZone": "us-gov-west-1a",
"GroupName": "",
"Tenancy": "default"
},
"PrivateDnsName": "ip-172-31-38-85.us-gov-west-1.compute.internal",
"PrivateIpAddress": "172.31.38.85",
"ProductCodes": [
{
"ProductCodeId": "39xl0mwguh2jvvy43omu43m66",
"ProductCodeType": "marketplace"
}
],
"PublicDnsName": "ec2-###-###-###-###.us-gov-west-1.compute.amazonaws.com",
"PublicIpAddress": "###.###.###.###",
"State": {
"Code": 16,
"Name": "running"
},
"StateTransitionReason": "",
"SubnetId": "subnet-344f8e7d",
"VpcId": "vpc-2730d740",
"Architecture": "x86_64",
"BlockDeviceMappings": [
{
"DeviceName": "/dev/xvda",
"Ebs": {
"AttachTime": "2020-08-05T17:27:04+00:00",
"DeleteOnTermination": true,
"Status": "attached",
"VolumeId": "vol-0fa5dbc2ed2cfd63e"
}
}
],
"ClientToken": "##################",
"EbsOptimized": true,
"EnaSupport": true,
"Hypervisor": "xen",
"NetworkInterfaces": [
{
"Association": {
"IpOwnerId": "amazon",
"PublicDnsName": "ec2-###-###-###-###.us-gov-west-1.compute.amazonaws.com",
"PublicIp": "###.###.###.###"
},
"Attachment": {
"AttachTime": "2020-08-05T17:27:03+00:00",
"AttachmentId": "eni-attach-0f358c95713644f71",
"DeleteOnTermination": true,
"DeviceIndex": 0,
"Status": "attached"
},
"Description": "Primary network interface",
"Groups": [
{
"GroupName": "snaplex-security-group",
"GroupId": "sg-0ca05c3e52f022675"
}
],
"Ipv6Addresses": [],
"MacAddress": "06:8e:1c:05:fb:38",
"NetworkInterfaceId": "eni-0eaa0e71b19e7271f",
"OwnerId": "############",
"PrivateDnsName": "ip-172-31-38-85.us-gov-west-1.compute.internal",
"PrivateIpAddress": "172.31.38.85",
"PrivateIpAddresses": [
{
"Association": {
"IpOwnerId": "amazon",
"PublicDnsName": "ec2-###-###-###-###.us-gov-west-1.compute.amazonaws.com",
"PublicIp": "###.###.###.###"
},
"Primary": true,
"PrivateDnsName": "ip-172-31-38-85.us-gov-west-1.compute.internal",
"PrivateIpAddress": "172.31.38.85"
}
],
"SourceDestCheck": true,
"Status": "in-use",
"SubnetId": "subnet-344f8e7d",
"VpcId": "vpc-2730d740",
"InterfaceType": "interface"
}
],
"RootDeviceName": "/dev/xvda",
"RootDeviceType": "ebs",
"SecurityGroups": [
{
"GroupName": "snaplex-security-group",
"GroupId": "sg-0ca05c3e52f022675"
}
],
"SourceDestCheck": true,
"Tags": [
{
"Key": "Name",
"Value": "Snaplex1"
}
],
"VirtualizationType": "hvm",
"CpuOptions": {
"CoreCount": 1,
"ThreadsPerCore": 2
},
"CapacityReservationSpecification": {
"CapacityReservationPreference": "open"
},
"HibernationOptions": {
"Configured": false
},
"MetadataOptions": {
"State": "applied",
"HttpTokens": "optional",
"HttpPutResponseHopLimit": 1,
"HttpEndpoint": "enabled"
}
}
],
"OwnerId": "XXXXXXXXXXXX",
"ReservationId": "r-054f74e1e9a6d9adc"
}
]
}
PS C:\> Get-AWSCredential -ListProfileDetail
ProfileName StoreTypeName ProfileLocation
----------- ------------- ---------------
default SharedCredentialsFile C:\Users\robert.h.patrick\.aws\credentials
govcloud SharedCredentialsFile C:\Users\robert.h.patrick\.aws\credentials
ody-gov-engineer SharedCredentialsFile C:\Users\robert.h.patrick\.aws\credentials
PS C:\> Set-AWSCredential -ProfileName ody-gov-engineer
PS C:\> get-EC2Instance -ProfileName ody-gov-engineer
get-EC2Instance : Error calling AssumeRole for role arn:aws-us-gov:iam::XXXXXXXXXXXX:role/Sandbox_Administrator
At line:1 char:1
+ get-EC2Instance -ProfileName ody-gov-engineer
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidOperation: (Amazon.PowerShe...2InstanceCmdlet:GetEC2InstanceCmdlet) [Get-EC2Insta
nce], InvalidOperationException
+ FullyQualifiedErrorId : Amazon.Runtime.AmazonClientException,Amazon.PowerShell.Cmdlets.EC2.GetEC2InstanceCmdlet
PS C:\>
Other Powershell commands are failing with the same AssumeRole error while all AWS CLI commands are working in the same Powershell session.
@ashishdhingra
In experimenting with the Use-STSRole cmdlet using the profile, I cannot point at the ody-gov-cloud profile and get it to work. I get the same AssumeRole error.
PS C:\> Use-STSRole -ProfileName ody-gov-engineer -RoleSessionName "OdysseyDev" Use-STSRole : Error calling AssumeRole for role arn:aws-us-gov:iam::XXXXXXXXXXXX:role/Sandbox_Administrator
At line:1 char:1
+ Use-STSRole -ProfileName ody-gov-engineer -RoleSessionName "OdysseyDe ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidOperation: (Amazon.PowerShe...seSTSRoleCmdlet:UseSTSRoleCmdlet) [Use-STSRole], In
validOperationException
+ FullyQualifiedErrorId : Amazon.Runtime.AmazonClientException,Amazon.PowerShell.Cmdlets.STS.UseSTSRoleCmdlet
PS C:\> Use-STSRole -ProfileName ody-gov-engineer -RoleSessionName "OdysseyDev" -Region us-gov-west-1
Use-STSRole : Error calling AssumeRole for role arn:aws-us-gov:iam::XXXXXXXXXXXX:role/Sandbox_Administrator
At line:1 char:1
+ Use-STSRole -ProfileName ody-gov-engineer -RoleSessionName "OdysseyDe ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidOperation: (Amazon.PowerShe...seSTSRoleCmdlet:UseSTSRoleCmdlet) [Use-STSRole], In
validOperationException
+ FullyQualifiedErrorId : Amazon.Runtime.AmazonClientException,Amazon.PowerShell.Cmdlets.STS.UseSTSRoleCmdlet
PS C:\> Use-STSRole -ProfileName ody-gov-engineer -RoleSessionName "OdysseyDev" -Region us-gov-west-1 -RoleArn "arn:aws-us-gov:iam::XXXXXXXXXXXX:role/Sandbox_Administrator"
Use-STSRole : Error calling AssumeRole for role arn:aws-us-gov:iam::XXXXXXXXXXXX:role/Sandbox_Administrator
At line:1 char:1
+ Use-STSRole -ProfileName ody-gov-engineer -RoleSessionName "OdysseyDe ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidOperation: (Amazon.PowerShe...seSTSRoleCmdlet:UseSTSRoleCmdlet) [Use-STSRole], In
validOperationException
+ FullyQualifiedErrorId : Amazon.Runtime.AmazonClientException,Amazon.PowerShell.Cmdlets.STS.UseSTSRoleCmdlet
PS C:\>
However, as soon as I point at the profile with only my credentials and pass the RoleArn and Region using command-line arguments, it seems to be happy.
PS C:\> Use-STSRole -ProfileName govcloud -RoleSessionName "OdysseyDev" -Region us-gov-west-1 -RoleArn "arn:aws-us-gov:iam::XXXXXXXXXXXX:role/Sandbox_Administrator"
AssumedRoleUser Credentials PackedPolicySize
--------------- ----------- ----------------
Amazon.SecurityToken.Model.AssumedRoleUser Amazon.SecurityToken.Model.Credentials 0
PS C:\>
Unfortunately, when I try to use the credentials, requests to AWS are still failing:
PS C:\> Use-STSRole -ProfileName govcloud -RoleSessionName "OdysseyDev" -Region us-gov-west-1 -RoleArn "arn:aws-us-gov:iam::XXXXXXXXXXXX:role/Sandbox_Administrator"
AssumedRoleUser Credentials PackedPolicySize
--------------- ----------- ----------------
Amazon.SecurityToken.Model.AssumedRoleUser Amazon.SecurityToken.Model.Credentials 0
PS C:\> Get-EC2Instance
Get-EC2Instance : Error calling AssumeRole for role arn:aws-us-gov:iam::XXXXXXXXXXXX:role/Sandbox_Administrator
At line:1 char:1
+ Get-EC2Instance
+ ~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidOperation: (Amazon.PowerShe...2InstanceCmdlet:GetEC2InstanceCmdlet) [Get-EC2Insta
nce], InvalidOperationException
+ FullyQualifiedErrorId : Amazon.Runtime.AmazonClientException,Amazon.PowerShell.Cmdlets.EC2.GetEC2InstanceCmdlet
PS C:\> Get-EC2Instance -Credential (Use-STSRole -ProfileName govcloud -RoleSessionName "OdysseyDev" -Region us-gov-west-1 -RoleArn "arn:aws-us-gov:iam::XXXXXXXXXXXX:role/Sandbox_Administrator")
Get-EC2Instance : Cannot bind parameter 'Credential'. Cannot convert the
"Amazon.SecurityToken.Model.AssumeRoleResponse" value of type "Amazon.SecurityToken.Model.AssumeRoleResponse" to type
"Amazon.Runtime.AWSCredentials".
At line:1 char:29
+ ... -Credential (Use-STSRole -ProfileName govcloud -RoleSessionName "Ody ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidArgument: (:) [Get-EC2Instance], ParameterBindingException
+ FullyQualifiedErrorId : CannotConvertArgumentNoMessage,Amazon.PowerShell.Cmdlets.EC2.GetEC2InstanceCmdlet
PS C:\> Get-EC2Instance -Credential (Use-STSRole -ProfileName govcloud -RoleSessionName "OdysseyDev" -Region us-gov-west-1 -RoleArn "arn:aws-us-gov:iam::XXXXXXXXXXXX:role/Sandbox_Administrator").Credentials
Get-EC2Instance : AWS was not able to validate the provided access credentials
At line:1 char:1
+ Get-EC2Instance -Credential (Use-STSRole -ProfileName govcloud -Role ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidOperation: (Amazon.PowerShe...2InstanceCmdlet:GetEC2InstanceCmdlet) [Get-EC2Insta
nce], InvalidOperationException
+ FullyQualifiedErrorId : Amazon.EC2.AmazonEC2Exception,Amazon.PowerShell.Cmdlets.EC2.GetEC2InstanceCmdlet
PS C:\>
Hopefully this helps to narrow down where the problem might be.
Hi @rpatrick00,
Thanks for the detailed information. I have marked this as a bug (label). I will coordinate with developer to have a look at it and advise if something is missing, and keep you posted on the updates.
Thanks, Ashish
We have noticed this issue has not recieved attention in 1 year. We will close this issue for now. If you think this is in error, please feel free to comment and reopen the issue.
@ashishdhingra Facing the same issue:
default
profile, when I pass --profile
argument as well> Get-S3Bucket -BucketName le-bucket
Get-S3Bucket: Error calling AssumeRole for role arn:aws:iam::***:role/***
I tried to supply cmdlet with -ProfileName
parameter but without any result. What am I missing?
(reopening, we have a new internal case related to this)
When using a profile configured with assume role credentials in AWS Tools for PowerShell, I suspect that the STS call to assume the role is being sent to either the global or us-east-1 STS endpoint, which is not valid for GovCloud regions.
I'm able to work around this via the third line below, which directs the AssumeRole call directly, but we need to investigate why the PowerShell-specific methods of configuring the region are not being applied to the STS call.
Set-DefaultAWSRegion -Region us-gov-west-1
$env:AWS_STS_REGIONAL_ENDPOINTS = 'regional'
[Amazon.AWSConfigs]::AWSRegion = "us-gov-west-1"
Get-EC2Instance -ProfileName
Please use below command let . we has same issue and after using this command let , we are able to run the script with out any issue. Initialize-AWSDefaults -ProfileName
Please use below command let . we has same issue and after using this command let , we are able to run the script with out any issue. Initialize-AWSDefaults -ProfileName
Since my company uses subaccounts, I have set up the required profiles and credentials in my %USERPROFILE%\.aws directory. These are working fine with the aws cli commands:
Unfortunately, the PowerShell commands are failing with an error: