search

turbot / steampipe-plugin-alicloud

Use SQL to instantly query Alibaba Cloud resources across regions and accounts. Open source CLI. No DB required.
https://hub.steampipe.io/plugins/turbot/alicloud
Apache License 2.0
12 stars 6 forks source link

`SignatureDoesNotMatch` error in `RamRoleArn` mode #454

Open QiXingchuan opened 1 week ago

QiXingchuan commented 1 week ago

Describe the bug

The query will have errors like this after the steampipe service runs for some time.

Error: alicloud_sandbox: SDK.ServerError
ErrorCode: SignatureDoesNotMatch
Recommend: InvalidAccessKeySecret: Please check you AccessKeySecret
Message: Specified signature is not matched with our calculation.

Steampipe version (steampipe -v)

Steampipe v0.23.2

Plugin version (steampipe plugin list)

hub.steampipe.io/plugins/turbot/alicloud@latest | 0.23.0

To reproduce

.aliyun/config.json

{ "current": "default", "profiles": [ { "name": "syncer-test", "mode": "RamRoleArn", "access_key_id": "xxx", "access_key_secret": "xxx", "sts_token": "", "sts_region": "", "ram_role_name": "syncer-test", "ram_role_arn": "acs:ram::xxx:role/syncer-test", "ram_session_name": "syncer-test", "source_profile": "", "private_key": "", "key_pair_name": "", "expired_seconds": 0, "verified": "", "region_id": "cn-shanghai", "output_format": "json", "language": "en", "site": "", "retry_timeout": 0, "connect_timeout": 0, "retry_count": 0, "process_command": "", "credentials_uri": "", "oidc_provider_arn": "", "oidc_token_file": "" } ], "meta_path": "" }


- ``steampipe service start``
- ``steampipe query``
- Execute query like ``select * from alicloud_sandbox.alicloud_ecs_instance``
- Execute query like ``select * from alicloud_sandbox.alicloud_ecs_instance`` after one hour

**Expected behavior**

The error should not happen.

**Additional context**

It seems that the credential is expired when this issue happens. This should be renewed internally, rather than throwing an error.
ParthaI commented 5 days ago

Hello @QiXingchuan,

Sorry to hear that you're encountering this issue.

After reviewing it, I’d like to share a few key points for your consideration:

The ALI Cloud SDK previously did not support CLI authentication. We added profile authentication in Steampipe by manually parsing the file located at ~/.aliyun/config.json. However, it seems we may have missed handling session expiration properly. A support request was also raised with the SDK team. For reference, see: https://github.com/aliyun/alibaba-cloud-sdk-go/issues/629.

Recently, they added support for profile authentication in the SDK. I’ve submitted a PR (https://github.com/turbot/steampipe-plugin-alicloud/pull/456) to address this issue. The updated profile authentication will now use the SDK's built-in mechanism.

The changes in the PR are still in progress, but it would be helpful if you could test it with the PR branch (update-alicloud-sdk) and let us know if the issue is resolved, or if there are any remaining edge cases we need to consider.

Thanks!

QiXingchuan commented 3 days ago

Hi @ParthaI. Thank you for getting back to me so quickly! I tested it with PR #456, and the issue has been resolved.