3
AWS The authorization mechanism you have provided is not supported. Please use AWS4-HMAC-SHA256
Hallo Zusammen,
ich führe ein Skript aus welches, alle Ressourcen bei der Erstellung taggen soll:
Alles in EU-Central-1
Dieses Skript funktionieren teilweise .. Ich erstellte Probeweise eine EC2 Instanz und S3 Buckets. Die EC2 Instanz wurde getaggt ebenfalls der Bucket .. Nur wenn ich später nochmal welche erstellt habe wurde nur noch der Bucket getaggt. In den Logs fand ich dann folgendes:
2018-09-05T09:40:01.982Z 3a7ccde7-b0ef-11e8-a5d9-ed81f6459057 { [InvalidRequest: The authorization mechanism you have provided is not supported. Please use AWS4-HMAC-SHA256.]
message: 'The authorization mechanism you have provided is not supported. Please use AWS4-HMAC-SHA256.',
code: 'InvalidRequest',
region: null,
time: Wed Sep 05 2018 09:40:01 GMT+0000 (UTC),
requestId: 'F3AAE4F8BBA1D952',
extendedRequestId: 'Jvj8W/xrZWW3zsGCqMclXCO5hbfI35VEWo5XDWilTNkqU+Wg2gSpDLsQ/rdLSrSqhIJ9O7ciSp8=',
cfId: undefined,
statusCode: 400,
retryable: false,
retryDelay: 27.57354755885899 }
Weiß jemand wieso es so "teilweise" funktioniert.
Viele Grüße,
Matze
ich führe ein Skript aus welches, alle Ressourcen bei der Erstellung taggen soll:
{
"AWSTemplateFormatVersion" : "2010-09-09",
"Description" : "Auto Tag (Open Source by GorillaStack)",
"Parameters" : {
"CodeS3Bucket" : {
"Description" : "The name of the code bucket in S3",
"Type" : "String",
"Default" : "gorillastack-autotag-releases-eu-central-1"
},
"CodeS3Path" : {
"Description" : "The path of the code zip file in the code bucket in S3",
"Type" : "String",
"Default" : "autotag-0.3.0.zip"
},
"CloudTrailBucketName" : {
"Description" : "The name you want to give the bucket for your CloudTrail logs",
"Type" : "String",
"Default": "my-cloudtrail-bucket"
}
},
"Mappings" : {
},
"Resources": {
"AutoTagExecutionRole" : {
"Type": "AWS::IAM::Role",
"Properties": {
"AssumeRolePolicyDocument": {
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": [
"lambda.amazonaws.com"
]
},
"Action": [
"sts:AssumeRole"
]
}
]
},
"Path": "/gorillastack/autotag/execution/"
}
},
"AutoTagLambdaFunction" : {
"Type" : "AWS::Lambda::Function",
"Properties" : {
"Code" : {
"S3Bucket": { "Ref" : "CodeS3Bucket" },
"S3Key": { "Ref" : "CodeS3Path" }
},
"Description" : "Auto Tag (Open Source by GorillaStack)",
"FunctionName" : "AutoTag",
"Handler" : "autotag.handler",
"Role" : { "Fn::GetAtt" : [ "AutoTagExecutionRole", "Arn" ] },
"Runtime" : "nodejs4.3",
"Timeout" : 30
}
},
"AutoTagMasterRole" : {
"Type": "AWS::IAM::Role",
"Properties": {
"AssumeRolePolicyDocument": {
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS" : { "Fn::GetAtt" : [ "AutoTagExecutionRole", "Arn" ] }
},
"Action": [
"sts:AssumeRole"
]
}
]
},
"Path": "/gorillastack/autotag/master/"
}
},
"AutoTagMasterPolicy" : {
"Type": "AWS::IAM::Policy",
"Properties": {
"PolicyName": "AutoTagMasterPolicy",
"Roles": [ { "Ref": "AutoTagMasterRole" } ],
"PolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:GetBucketTagging",
"s3:PutBucketTagging",
"ec2:CreateTags",
"elasticloadbalancing:AddTags",
"autoscaling:CreateOrUpdateTags",
"rds:AddTagsToResource",
"elasticmapreduce:AddTags",
"datapipeline:AddTags"
],
"Resource": [
"*"
]
}
]
}
}
},
"AutoTagExecutionPolicy" : {
"Type": "AWS::IAM::Policy",
"Properties": {
"PolicyName": "AutoTagExecutionPolicy",
"Roles": [ { "Ref": "AutoTagExecutionRole" } ],
"PolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"logs:CreateLogGroup",
"logs:CreateLogStream",
"logs:PutLogEvents"
],
"Resource": "arn:aws:logs:*:*:*"
},
{
"Effect": "Allow",
"Action": [
"s3:GetObject",
"s3:ListBucket"
],
"Resource": [
{ "Fn::Join": [ "", [ "arn:aws:s3:::", { "Ref" : "CloudTrailBucketName" } ] ] },
{ "Fn::Join": [ "", [ "arn:aws:s3:::", { "Ref" : "CloudTrailBucketName" }, "/*" ] ] }
]
},
{
"Effect": "Allow",
"Action": [
"cloudformation:DescribeStackResource"
],
"Resource": [
{ "Fn::Join": [ "", [ "arn:aws:cloudformation:", { "Ref" : "AWS::Region" }, ":", { "Ref" : "AWS::AccountId" }, ":stack/autotag/*" ] ] }
]
},
{
"Effect": "Allow",
"Action": [
"sts:*"
],
"Resource": [
{ "Fn::GetAtt" : [ "AutoTagMasterRole", "Arn" ] }
]
}
]
}
}
},
"TriggerLambdaPermission": {
"Type" : "AWS::Lambda::Permission",
"DependsOn" : "AutoTagLambdaFunction",
"Properties" : {
"Action" : "lambda:InvokeFunction",
"FunctionName" : { "Fn::GetAtt" : [ "AutoTagLambdaFunction", "Arn" ] },
"Principal" : "s3.amazonaws.com",
"SourceAccount": { "Ref" : "AWS::AccountId" },
"SourceArn": { "Fn::Join" : [ "", [ "arn:aws:s3:::", { "Ref" : "CloudTrailBucketName" } ] ] }
}
},
"BucketPolicy" : {
"Type" : "AWS::S3::BucketPolicy",
"DependsOn": "CloudTrailS3Bucket",
"Properties" : {
"Bucket" : { "Ref" : "CloudTrailS3Bucket" },
"PolicyDocument" : {
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AWSCloudTrailAclCheck",
"Effect": "Allow",
"Principal": { "Service" : "cloudtrail.amazonaws.com"},
"Action": "s3:GetBucketAcl",
"Resource": { "Fn::Join" : [ "", [ "arn:aws:s3:::", { "Ref" : "CloudTrailBucketName" } ] ] }
},
{
"Sid": "AWSCloudTrailWrite",
"Effect": "Allow",
"Principal": { "Service":"cloudtrail.amazonaws.com" },
"Action": "s3:PutObject",
"Resource": { "Fn::Join" : [ "", [ "arn:aws:s3:::", { "Ref" : "CloudTrailBucketName"}, "/AWSLogs/", { "Ref":"AWS::AccountId" }, "/*" ] ] },
"Condition": {
"StringEquals": {
"s3:x-amz-acl": "bucket-owner-full-control"
}
}
}
]
}
}
},
"CloudTrailS3Bucket" : {
"DependsOn" : "TriggerLambdaPermission",
"Type" : "AWS::S3::Bucket",
"Properties" : {
"BucketName" : { "Ref" : "CloudTrailBucketName" },
"NotificationConfiguration" : {
"LambdaConfigurations" : [
{
"Event" : "s3:ObjectCreated:*",
"Function" : { "Fn::GetAtt" : [ "AutoTagLambdaFunction", "Arn" ] }
}
]
}
}
},
"CloudTrail" : {
"DependsOn": "BucketPolicy",
"Type" : "AWS::CloudTrail::Trail",
"Properties" : {
"IsLogging" : true,
"IncludeGlobalServiceEvents": true,
"IsMultiRegionTrail" : true,
"S3BucketName" : { "Ref" : "CloudTrailBucketName" }
}
}
}
}Alles in EU-Central-1
Dieses Skript funktionieren teilweise .. Ich erstellte Probeweise eine EC2 Instanz und S3 Buckets. Die EC2 Instanz wurde getaggt ebenfalls der Bucket .. Nur wenn ich später nochmal welche erstellt habe wurde nur noch der Bucket getaggt. In den Logs fand ich dann folgendes:
2018-09-05T09:40:01.982Z 3a7ccde7-b0ef-11e8-a5d9-ed81f6459057 { [InvalidRequest: The authorization mechanism you have provided is not supported. Please use AWS4-HMAC-SHA256.]
message: 'The authorization mechanism you have provided is not supported. Please use AWS4-HMAC-SHA256.',
code: 'InvalidRequest',
region: null,
time: Wed Sep 05 2018 09:40:01 GMT+0000 (UTC),
requestId: 'F3AAE4F8BBA1D952',
extendedRequestId: 'Jvj8W/xrZWW3zsGCqMclXCO5hbfI35VEWo5XDWilTNkqU+Wg2gSpDLsQ/rdLSrSqhIJ9O7ciSp8=',
cfId: undefined,
statusCode: 400,
retryable: false,
retryDelay: 27.57354755885899 }
Weiß jemand wieso es so "teilweise" funktioniert.
Viele Grüße,
Matze
Auf Facebook teilen
Auf Twitter teilen
Auf Reddit teilen
Auf Linkedin teilenBitte markiere auch die Kommentare, die zur Lösung des Beitrags beigetragen haben
Content-ID: 385503
Url: https://administrator.de/contentid/385503
Ausgedruckt am: 23.11.2024 um 04:11 Uhr
3 Kommentare
Neuester Kommentar
10 Sekunden Google: Lösung bei Stackoverflow
Wie soll der Code denn angepasst werden. Die Seite habe ich auch gefunden...
Dein "Skript" führst du ja mit einem irgendwie gearteten SDK aus. Dort musst du einstellen das die neuere Authentifizierungsmethode genutzt werden muss, da neuere Amazon-Instanzen nur noch diese unterstützen.
