could not validate role and external ID

[vmpowercli]

I was able to install using start.sh script and able to login in to the console. When I tried to add a new aws account I keep getting this error "could not validate role and external ID".

I followed the step by step guide and aws able to create the required Roles and added permissions to it.

api_1  | {"level":"info","time":"2019-02-27T19:54:39.065953885Z","message":"Received request.","data":{"protocol":"HTTP/1.1","method":"OPTIONS","url":"/aws","address":"172.21.0.18:60171","host":"192.168.1.181:8080","userAgent":["Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3578.98 Safari/537.36"],"time":"2019-02-27T19:54:39.06590349Z"},"context":{"requestId":"841a36b1-3ac9-11e9-9fe3-02420a135405"}}
api_1  | {"level":"info","time":"2019-02-27T19:54:39.066105714Z","message":"Produced response to request.","data":{"status":200,"nanoseconds":200834},"context":{"requestId":"841a36b1-3ac9-11e9-9fe3-02420a135405"}}
api_1  | {"level":"info","time":"2019-02-27T19:54:39.117441954Z","message":"Received request.","data":{"protocol":"HTTP/1.1","method":"POST","url":"/aws","address":"172.21.0.18:60171","host":"192.168.1.181:8080","userAgent":["Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3578.98 Safari/537.36"],"time":"2019-02-27T19:54:39.117438397Z"},"context":{"requestId":"8422132c-3ac9-11e9-9fe3-02420a135405"}}
api_1  | AccessDenied: Access denied
api_1  |        status code: 403, request id: 842f4a41-3ac9-11e9-b2fd-3bcf1937e9c5{"level":"info","time":"2019-02-27T19:54:39.233619989Z","message":"Produced response to request.","data":{"status":400,"nanoseconds":116179042},"context":{"requestId":"8422132c-3ac9-11e9-9fe3-02420a135405"}}
api_1  | {"level":"info","time":"2019-02-27T19:54:40.579618289Z","message":"Received request.","data":{"protocol":"HTTP/1.1","method":"POST","url":"/aws","address":"172.21.0.18:60171","host":"192.168.1.181:8080","userAgent":["Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3578.98 Safari/537.36"],"time":"2019-02-27T19:54:40.579615223Z"},"context":{"requestId":"85012e5f-3ac9-11e9-9fe3-02420a135405"}}
api_1  | AccessDenied: Access denied
api_1  |        status code: 403, request id: 8502c7db-3ac9-11e9-b2fd-3bcf1937e9c5{"level":"info","time":"2019-02-27T19:54:40.609692796Z","message":"Produced response to request.","data":{"status":400,"nanoseconds":30075013},"context":{"requestId":"85012e5f-3ac9-11e9-9fe3-02420a135405"}}
api_1  | {"level":"debug","time":"2019-02-27T19:54:48.262207408Z","message":"Started transaction."}
api_1  | {"level":"debug","time":"2019-02-27T19:54:48.264270167Z","message":"Commited transaction."}

[thibautcornolti]

Hello,

I see an Access Denied, it could be due to several reasons:

• Are you first able to get your own identity? You can test it by typing aws sts get-caller-identity.

• Then, are you able to assume the role you just created for TrackIt? You can test it by typing aws sts assume-role --role-arn "role_arn" --external-id "external" --role-session-name "role_name"

Thanks!

[vmpowercli]

It worked only when I gave admin access the the default CLI user. Is there any way to get it work with out providing Admin access ?

Thank You

[vmpowercli]

I was able to login in to the portal but cannot see anything on AWS reports page. I see this error instead. Can you please help me here

Also how to see individual account details, we have a masterpay account and we use a consolidated billing sent to S3 which is on Masterapay account.

No reports available (Reports bucket not configured) Error while getting data (Data not available yet. Please check again in few hours.)

Thank You

[thibautcornolti]

Hello,

You will be able to see individual account details with TrackIt. I strongly recommend that you use our free SaaS solution. You can find it here.

However, you need to create a report if you don't already have one: Usage Reports.

• Click on Create report
• Type for example AllHourlyToS3 as report name
• Check Include resource IDs
• Check Automatically refresh your Cost & Usage Report when charges are detected for previous months with closed bills.
• Configure an S3 Bucket to host all reports, example [company]-billing
• Click Next
• Click Review and Complete

You should create this report on your masterpay account.

We don't need admin access, you can find our minimal policy here. Use this policy for your account you want to monitor. You also need another account to run TrackIt server (not needed in SaaS version). This account only needs sts:AssumeRole permission. TrackIt use your default account in ~/.aws/credentials.

Thanks.

[vmpowercli]

Hello, thanks for your help. I was able to import the data successfully but one thing what I have noticed was the bill's are not matching in trackit portal with AWS. Is there any way to filter and see just the account usage resources so I we can drill it down to see what are we missing ?

Thank You