Receiving 403 error on call to STS

kubernetes-sigs / aws-iam-authenticator

A tool to use AWS IAM credentials to authenticate to a Kubernetes cluster

Apache License 2.0

2.21k stars 424 forks source link

Receiving 403 error on call to STS #130

Closed wbauern closed 6 years ago

wbauern commented 6 years ago

I have successfully installed the authenticator in one of our clusters. Following the same steps I installed it in another cluster but I can't seem to get it to work correctly. For every auth attempt I am receiving the following error message in the authenticator pod logs:

{"log":"time=\"2018-08-08T16:41:30Z\" level=warning msg=\"access denied\" client=\"127.0.0.1:27688\" error=\"sts getCallerIdentity failed: error from AWS (expected 200, got 403)\" method=POST path=/authenticate\n","stream":"stderr","time":"2018-08-08T16:41:30.131521462Z"}

I'm able to successfully generate a token from the cli and when I run verify on it everything looks correct.

I've tried hitting the STS URL contained in the token directly but I get a SignatureDoesNotMatch error back. I don't think this is a valid test though since I get the same error when I try this with a token from my working cluster.

Any tips on how to debug this type of problem?

Thanks, Bill

wbauern commented 6 years ago

Ended up figuring out the issue.

ursuad commented 6 years ago

@wbauern Do you know what the issue was? I'm facing the exact problem, and I can't seem to figure out what I'm doing wrong.

ursuad commented 6 years ago

Ok, I figured what the issue was, I was using the wrong ClusterID in the configmap. Leaving this here, just in case someone else has the same problem.

fred-vogt commented 4 years ago

If anyone winds up here.

The value used for clusterID must be the same when a token created / verified. The clusterID is used as the value for a custom header x-k8s-aws-id for AWS v4 request signing.

The server logs in v0.5+ now show the AWS error message:

error="sts getCallerIdentity failed: error from AWS (expected 200, got 403)
Body: {
  "Error": {
    "Code": "SignatureDoesNotMatch",
    "Message": "
      The request signature we calculated does not match the signature you provided. 
      Check your AWS Secret Access Key and signing method. 
      Consult the service documentation for details.",
    "Type": "Sender"},
  "RequestId": "<guid>"
}
method=POST

You can verify this using the authenticator CLI:

export CLUSTER_ID=...

aws-iam-authenticator verify -i "$CLUSTER_ID" -t \
  $(AWS_PROFILE=... aws-iam-authenticator token -i "$CLUSTER_ID" | jq -r '.status.token')

saffyA commented 8 months ago

This saved my life. Thank you!

If anyone winds up here.

The value used for clusterID must be the same when a token created / verified. The clusterID is used as the value for a custom header x-k8s-aws-id for AWS v4 request signing.

The server logs in v0.5+ now show the AWS error message:
error="sts getCallerIdentity failed: error from AWS (expected 200, got 403)
Body: {
  "Error": {
    "Code": "SignatureDoesNotMatch",
    "Message": "
      The request signature we calculated does not match the signature you provided. 
      Check your AWS Secret Access Key and signing method. 
      Consult the service documentation for details.",
    "Type": "Sender"},
  "RequestId": "<guid>"
}
method=POST
You can verify this using the authenticator CLI:
export CLUSTER_ID=...

aws-iam-authenticator verify -i "$CLUSTER_ID" -t \
  $(AWS_PROFILE=... aws-iam-authenticator token -i "$CLUSTER_ID" | jq -r '.status.token')