matze1508
Goto Top

AWS The authorization mechanism you have provided is not supported. Please use AWS4-HMAC-SHA256

Hallo Zusammen,

ich führe ein Skript aus welches, alle Ressourcen bei der Erstellung taggen soll:

{
  "AWSTemplateFormatVersion" : "2010-09-09",  
  "Description" : "Auto Tag (Open Source by GorillaStack)",  
  "Parameters" : {  
    "CodeS3Bucket" : {  
      "Description" : "The name of the code bucket in S3",  
      "Type" : "String",  
      "Default" : "gorillastack-autotag-releases-eu-central-1"  
    },
    "CodeS3Path" : {  
      "Description" : "The path of the code zip file in the code bucket in S3",  
      "Type" : "String",  
      "Default" : "autotag-0.3.0.zip"  
    },
    "CloudTrailBucketName" : {  
      "Description" : "The name you want to give the bucket for your CloudTrail logs",  
      "Type" : "String",  
      "Default": "my-cloudtrail-bucket"  
    }
  },

  "Mappings" : {  
  },

  "Resources": {  

    "AutoTagExecutionRole" : {  
      "Type": "AWS::IAM::Role",  
      "Properties": {  
        "AssumeRolePolicyDocument": {  
          "Statement": [  
            {
              "Effect": "Allow",  
              "Principal": {  
                "Service": [  
                  "lambda.amazonaws.com"  
                ]
              },
              "Action": [  
                "sts:AssumeRole"  
              ]
            }
          ]
        },
        "Path": "/gorillastack/autotag/execution/"  
      }
    },

    "AutoTagLambdaFunction" : {  
      "Type" : "AWS::Lambda::Function",  
      "Properties" : {  
        "Code" : {  
          "S3Bucket": { "Ref" : "CodeS3Bucket" },  
          "S3Key": { "Ref" : "CodeS3Path" }  
        },
        "Description" : "Auto Tag (Open Source by GorillaStack)",  
        "FunctionName" : "AutoTag",  
        "Handler" : "autotag.handler",  
        "Role" : { "Fn::GetAtt" : [ "AutoTagExecutionRole", "Arn" ] },  
        "Runtime" : "nodejs4.3",  
        "Timeout" : 30  
      }
    },

    "AutoTagMasterRole" : {  
      "Type": "AWS::IAM::Role",  
      "Properties": {  
        "AssumeRolePolicyDocument": {  
          "Statement": [  
            {
              "Effect": "Allow",  
              "Principal": {  
                "AWS" : { "Fn::GetAtt" : [ "AutoTagExecutionRole", "Arn" ] }  
              },
              "Action": [  
                "sts:AssumeRole"  
              ]
            }
          ]
        },
        "Path": "/gorillastack/autotag/master/"  
      }
    },

    "AutoTagMasterPolicy" : {  
      "Type": "AWS::IAM::Policy",  
      "Properties": {  
        "PolicyName": "AutoTagMasterPolicy",  
        "Roles": [ { "Ref": "AutoTagMasterRole" } ],  
        "PolicyDocument": {  
          "Version": "2012-10-17",  
          "Statement": [  
            {
              "Effect": "Allow",  
              "Action": [  
                "s3:GetBucketTagging",  
                "s3:PutBucketTagging",  
                "ec2:CreateTags",  
                "elasticloadbalancing:AddTags",  
                "autoscaling:CreateOrUpdateTags",  
                "rds:AddTagsToResource",  
                "elasticmapreduce:AddTags",  
                "datapipeline:AddTags"  
              ],
              "Resource": [  
                "*"  
              ]
            }
          ]
        }
      }
    },

    "AutoTagExecutionPolicy" : {  
      "Type": "AWS::IAM::Policy",  
      "Properties": {  
        "PolicyName": "AutoTagExecutionPolicy",  
        "Roles": [ { "Ref": "AutoTagExecutionRole" } ],  
        "PolicyDocument": {  
          "Version": "2012-10-17",  
          "Statement": [  
            {
              "Effect": "Allow",  
              "Action": [  
                "logs:CreateLogGroup",  
                "logs:CreateLogStream",  
                "logs:PutLogEvents"  
              ],
              "Resource": "arn:aws:logs:*:*:*"  
            },
            {
              "Effect": "Allow",  
              "Action": [  
                "s3:GetObject",  
                "s3:ListBucket"  
              ],
              "Resource": [  
                { "Fn::Join": [ "", [ "arn:aws:s3:::", { "Ref" : "CloudTrailBucketName" } ] ] },  
                { "Fn::Join": [ "", [ "arn:aws:s3:::", { "Ref" : "CloudTrailBucketName" }, "/*" ] ] }  
              ]
            },
            {
              "Effect": "Allow",  
              "Action": [  
                "cloudformation:DescribeStackResource"  
              ],
              "Resource": [  
                { "Fn::Join": [ "", [ "arn:aws:cloudformation:", { "Ref" : "AWS::Region" }, ":", { "Ref" : "AWS::AccountId" }, ":stack/autotag/*" ] ] }  
              ]
            },
            {
              "Effect": "Allow",  
              "Action": [  
                "sts:*"  
              ],
              "Resource": [  
                { "Fn::GetAtt" : [ "AutoTagMasterRole", "Arn" ] }  
              ]
            }
          ]
        }
      }
    },

    "TriggerLambdaPermission": {  
      "Type" : "AWS::Lambda::Permission",  
      "DependsOn" : "AutoTagLambdaFunction",  
      "Properties" : {  
        "Action" : "lambda:InvokeFunction",  
        "FunctionName" : { "Fn::GetAtt" : [ "AutoTagLambdaFunction", "Arn" ] },  
        "Principal" : "s3.amazonaws.com",  
        "SourceAccount": { "Ref" : "AWS::AccountId" },  
        "SourceArn": { "Fn::Join" : [ "", [ "arn:aws:s3:::", { "Ref" : "CloudTrailBucketName" } ] ] }  
      }
    },

    "BucketPolicy" : {  
      "Type" : "AWS::S3::BucketPolicy",  
      "DependsOn": "CloudTrailS3Bucket",  
      "Properties" : {  
        "Bucket" : { "Ref" : "CloudTrailS3Bucket" },  
        "PolicyDocument" : {  
          "Version": "2012-10-17",  
          "Statement": [  
            {
              "Sid": "AWSCloudTrailAclCheck",  
              "Effect": "Allow",  
              "Principal": { "Service" : "cloudtrail.amazonaws.com"},  
              "Action": "s3:GetBucketAcl",  
              "Resource": { "Fn::Join" : [ "", [ "arn:aws:s3:::", { "Ref" : "CloudTrailBucketName" } ] ] }  
            },
            {
              "Sid": "AWSCloudTrailWrite",  
              "Effect": "Allow",  
              "Principal": { "Service":"cloudtrail.amazonaws.com" },  
              "Action": "s3:PutObject",  
              "Resource": { "Fn::Join" : [ "", [ "arn:aws:s3:::", { "Ref" : "CloudTrailBucketName"}, "/AWSLogs/", { "Ref":"AWS::AccountId" }, "/*" ] ] },  
              "Condition": {  
               "StringEquals": {  
                 "s3:x-amz-acl": "bucket-owner-full-control"  
               }
              }
            }
          ]
        }
      }
    },

    "CloudTrailS3Bucket" : {  
      "DependsOn" : "TriggerLambdaPermission",  
      "Type" : "AWS::S3::Bucket",  
      "Properties" : {  
        "BucketName" : { "Ref" : "CloudTrailBucketName" },  
        "NotificationConfiguration" : {  
          "LambdaConfigurations" : [  
            {
              "Event" : "s3:ObjectCreated:*",  
              "Function" : { "Fn::GetAtt" : [ "AutoTagLambdaFunction", "Arn" ] }  
            }
          ]
        }
      }
    },

    "CloudTrail" : {  
      "DependsOn": "BucketPolicy",  
      "Type" : "AWS::CloudTrail::Trail",  
      "Properties" : {  
        "IsLogging" : true,  
        "IncludeGlobalServiceEvents": true,  
        "IsMultiRegionTrail" : true,  
        "S3BucketName" : { "Ref" : "CloudTrailBucketName" }  
      }
    }
  }
}


Alles in EU-Central-1
Dieses Skript funktionieren teilweise .. Ich erstellte Probeweise eine EC2 Instanz und S3 Buckets. Die EC2 Instanz wurde getaggt ebenfalls der Bucket .. Nur wenn ich später nochmal welche erstellt habe wurde nur noch der Bucket getaggt. In den Logs fand ich dann folgendes:

2018-09-05T09:40:01.982Z 3a7ccde7-b0ef-11e8-a5d9-ed81f6459057 { [InvalidRequest: The authorization mechanism you have provided is not supported. Please use AWS4-HMAC-SHA256.]
message: 'The authorization mechanism you have provided is not supported. Please use AWS4-HMAC-SHA256.',
code: 'InvalidRequest',
region: null,
time: Wed Sep 05 2018 09:40:01 GMT+0000 (UTC),
requestId: 'F3AAE4F8BBA1D952',
extendedRequestId: 'Jvj8W/xrZWW3zsGCqMclXCO5hbfI35VEWo5XDWilTNkqU+Wg2gSpDLsQ/rdLSrSqhIJ9O7ciSp8=',
cfId: undefined,
statusCode: 400,
retryable: false,
retryDelay: 27.57354755885899 }

Weiß jemand wieso es so "teilweise" funktioniert.

Viele Grüße,
Matze

Content-ID: 385503

Url: https://administrator.de/forum/aws-the-authorization-mechanism-you-have-provided-is-not-supported-please-use-aws4-hmac-sha256-385503.html

Ausgedruckt am: 23.12.2024 um 18:12 Uhr

bloodstix
bloodstix 05.09.2018 um 12:26:05 Uhr
Goto Top
10 Sekunden Google: Lösung bei Stackoverflow
Matze1508
Matze1508 05.09.2018 um 13:06:48 Uhr
Goto Top
Wie soll der Code denn angepasst werden. Die Seite habe ich auch gefunden...
bloodstix
bloodstix 05.09.2018 um 13:16:00 Uhr
Goto Top
Dein "Skript" führst du ja mit einem irgendwie gearteten SDK aus. Dort musst du einstellen das die neuere Authentifizierungsmethode genutzt werden muss, da neuere Amazon-Instanzen nur noch diese unterstützen.