You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@jclouds.apache.org by ar...@gmail.com,
ar...@gmail.com on 2018/06/20 06:01:45 UTC
Issue with jclouds computeService listNodes() ?
Hi All,
I am trying to SSH from one EC2 instance into another using netflix's simian army. I am using IAM role instead of Access key and Secret key. Wondering if there is an issue with calling listNodes() when using IAM role. Any insight on this, or any workaround on the issue is helpful.
Cheers
Archana
Re: Issue with jclouds computeService listNodes() ?
Posted by ar...@gmail.com,
ar...@gmail.com.
Hi Andrea,
Thanks for the quick response. I am using an IAM role that has full admin access. Which is why this case is even more perplexing. Do you have any other suggestions to try out?
Cheers Archana
On 2018/06/21 07:40:46, Andrea Turli <an...@gmail.com> wrote:
> Archana,
>
> interesting!
>
> To debug this, I would attach a IAM role with e.g the AmazonEC2FullAccess
> policy set and re-test. If that works, I'll then try to play with more
> restricting policies, in case you don't like AmazonEC2FullAccess in
> production.
>
> Best,
> Andrea
>
> On Thu, Jun 21, 2018 at 9:34 AM archieprad@gmail.com <ar...@gmail.com>
> wrote:
>
> > Hi Andrea,
> > I tried the two methods that you suggested and neither of them work. I
> > also tried another method listHardwareProfiles() and it works. Is there
> > some different level of authentication required across these? Please do let
> > me know what you think.
> >
> > Cheers
> > Archana
> >
> > On 2018/06/20 07:26:44, Andrea Turli <an...@gmail.com> wrote:
> > > Hi Archana,
> > >
> > > I don't see any particular reason listNodes would behave differently
> > when
> > > using IAM role vs Access Key and Secret Key - Once the Ec2Api is
> > configured
> > > to use org.jclouds.aws.domain.SessionCredentials everything should just
> > > work.
> > >
> > > Is listNodes the only failing one? Can you share the stacktrace of a
> > > failing call?
> > > Could you double check listAssignableLocations() or listImages() with the
> > > same IAM role? if they work, can it be related to weird IAM permissions?
> > >
> > > HTH,
> > > Andrea
> > >
> > > On Wed, Jun 20, 2018 at 8:01 AM archieprad@gmail.com <
> > archieprad@gmail.com>
> > > wrote:
> > >
> > > > Hi All,
> > > > I am trying to SSH from one EC2 instance into another using netflix's
> > > > simian army. I am using IAM role instead of Access key and Secret key.
> > > > Wondering if there is an issue with calling listNodes() when using IAM
> > > > role. Any insight on this, or any workaround on the issue is helpful.
> > > >
> > > > Cheers
> > > > Archana
> > > >
> > >
> >
>
Re: Issue with jclouds computeService listNodes() ?
Posted by Andrea Turli <an...@gmail.com>.
Archana,
interesting!
To debug this, I would attach a IAM role with e.g the AmazonEC2FullAccess
policy set and re-test. If that works, I'll then try to play with more
restricting policies, in case you don't like AmazonEC2FullAccess in
production.
Best,
Andrea
On Thu, Jun 21, 2018 at 9:34 AM archieprad@gmail.com <ar...@gmail.com>
wrote:
> Hi Andrea,
> I tried the two methods that you suggested and neither of them work. I
> also tried another method listHardwareProfiles() and it works. Is there
> some different level of authentication required across these? Please do let
> me know what you think.
>
> Cheers
> Archana
>
> On 2018/06/20 07:26:44, Andrea Turli <an...@gmail.com> wrote:
> > Hi Archana,
> >
> > I don't see any particular reason listNodes would behave differently
> when
> > using IAM role vs Access Key and Secret Key - Once the Ec2Api is
> configured
> > to use org.jclouds.aws.domain.SessionCredentials everything should just
> > work.
> >
> > Is listNodes the only failing one? Can you share the stacktrace of a
> > failing call?
> > Could you double check listAssignableLocations() or listImages() with the
> > same IAM role? if they work, can it be related to weird IAM permissions?
> >
> > HTH,
> > Andrea
> >
> > On Wed, Jun 20, 2018 at 8:01 AM archieprad@gmail.com <
> archieprad@gmail.com>
> > wrote:
> >
> > > Hi All,
> > > I am trying to SSH from one EC2 instance into another using netflix's
> > > simian army. I am using IAM role instead of Access key and Secret key.
> > > Wondering if there is an issue with calling listNodes() when using IAM
> > > role. Any insight on this, or any workaround on the issue is helpful.
> > >
> > > Cheers
> > > Archana
> > >
> >
>
Re: Issue with jclouds computeService listNodes() ?
Posted by ar...@gmail.com,
ar...@gmail.com.
Hi Andrea,
I tried the two methods that you suggested and neither of them work. I also tried another method listHardwareProfiles() and it works. Is there some different level of authentication required across these? Please do let me know what you think.
Cheers
Archana
On 2018/06/20 07:26:44, Andrea Turli <an...@gmail.com> wrote:
> Hi Archana,
>
> I don't see any particular reason listNodes would behave differently when
> using IAM role vs Access Key and Secret Key - Once the Ec2Api is configured
> to use org.jclouds.aws.domain.SessionCredentials everything should just
> work.
>
> Is listNodes the only failing one? Can you share the stacktrace of a
> failing call?
> Could you double check listAssignableLocations() or listImages() with the
> same IAM role? if they work, can it be related to weird IAM permissions?
>
> HTH,
> Andrea
>
> On Wed, Jun 20, 2018 at 8:01 AM archieprad@gmail.com <ar...@gmail.com>
> wrote:
>
> > Hi All,
> > I am trying to SSH from one EC2 instance into another using netflix's
> > simian army. I am using IAM role instead of Access key and Secret key.
> > Wondering if there is an issue with calling listNodes() when using IAM
> > role. Any insight on this, or any workaround on the issue is helpful.
> >
> > Cheers
> > Archana
> >
>
Re: Issue with jclouds computeService listNodes() ?
Posted by ar...@gmail.com,
ar...@gmail.com.
Hi Andrea,
Yes i changed the code a little and added a .endpoint("https://ec2-ap-southeast-1.com"), to change the region. Does that resolve it?
Regards
Archana
On 2018/06/21 07:53:48, Andrea Turli <an...@gmail.com> wrote:
> Mmm very interesting!
>
> The only thing that comes to my mind is:
> - is your account allowed to talk to all the regions? From the stacktrace
> above looks like
> org.jclouds.rest.AuthorizationException: POST
> https://ec2.us-east-1.amazonaws.com/ HTTP/1.1 -> HTTP/1.1 401 Unauthorized
> so maybe your account is not allowed to talk to that region. Can you
> confirm? if not you want to control which regions to target you can use
> `-Djclouds.regions: "us-west-1" in case you want to limit to Oregon.
>
> HTH,
> Andrea
>
> On Thu, Jun 21, 2018 at 9:45 AM archieprad@gmail.com <ar...@gmail.com>
> wrote:
>
> > Hi Andrea,
> > Thanks for the quick response. I am using an IAM role that has full admin
> > access. Which is why this case is even more perplexing. Do you have any
> > other suggestions to try out?
> >
> > Cheers
> > Archana
> >
> > On 2018/06/20 21:45:31, archieprad@gmail.com <ar...@gmail.com>
> > wrote:
> > > Hi Ignasi,
> > > So the function that does the authentication uses a context builder and
> > generates a temporary access and secret key. I've read that perhaps Jclouds
> > might not be sending the session token to access aws resources. Do you
> > think that is what could be happening?
> > >
> > > Cheers,
> > > Archana
> > >
> >
>
Re: Issue with jclouds computeService listNodes() ?
Posted by ar...@gmail.com,
ar...@gmail.com.
This is great! Thank you!
Cheers
Archana
On 2018/06/21 08:39:58, Ignasi Barrera <na...@apache.org> wrote:
> FTR, I'm not a user of the SimianArmy, but I've just opened a PR to add
> support for temporary credentials:
> https://github.com/Netflix/SimianArmy/pull/331
>
> On 21 June 2018 at 10:14, archieprad@gmail.com <ar...@gmail.com> wrote:
>
> > Hi Ignasi,
> > Thank you! I will try this out and let you know if it worked.
> >
> > Cheers
> > Archana
> >
> > On 2018/06/21 08:00:01, Ignasi Barrera <ig...@gmail.com> wrote:
> > > Hi Archana,
> > >
> > > I see the problem here. When using temporary credentials in AWS, the
> > > session token must be included in a request header [1], so you need to
> > > provide it when configuring the jclouds context with the credentials.
> > >
> > > By default, the "ContextBuilder.credentials" signature does only allow to
> > > pass the access key and secret key, but there is no place to specify that
> > > session token. However, the ContextBuilder provides an alternate
> > mechanism
> > > to configure custom credentials. You can use the
> > > "ContextBuilder.credentialsSupplier" method as follows:
> > >
> > > ContextBuilder.newBuilder("aws-ec2")
> > > ...
> > > .credentialsSupplier(new Supplier<Credentials>() {
> > > @Override
> > > public Credentials get() {
> > > return SessionCredentials.builder()
> > > .accessKeyId("temporary access key")
> > > .secretAccessKey("temporary secret key")
> > > .sessionToken("session token")
> > > .expiration(new Date()) // Change to a proper value
> > > .build();
> > > }
> > > })
> > > ...
> > >
> > >
> > >
> > > Could you try this?
> > >
> > >
> > > HTH!
> > >
> > > I.
> > >
> > >
> > > [1]
> > > https://docs.aws.amazon.com/AmazonS3/latest/dev/RESTAuthentication.html#
> > UsingTemporarySecurityCredentials
> > >
> > >
> > > On 21 June 2018 at 09:53, Andrea Turli <an...@gmail.com> wrote:
> > >
> > > > Mmm very interesting!
> > > >
> > > > The only thing that comes to my mind is:
> > > > - is your account allowed to talk to all the regions? From the
> > stacktrace
> > > > above looks like
> > > > org.jclouds.rest.AuthorizationException: POST https://ec2.us-east-1.
> > > > amazonaws.com/ HTTP/1.1 -> HTTP/1.1 401 Unauthorized
> > > > so maybe your account is not allowed to talk to that region. Can you
> > > > confirm? if not you want to control which regions to target you can use
> > > > `-Djclouds.regions: "us-west-1" in case you want to limit to Oregon.
> > > >
> > > > HTH,
> > > > Andrea
> > > >
> > > > On Thu, Jun 21, 2018 at 9:45 AM archieprad@gmail.com <
> > archieprad@gmail.com>
> > > > wrote:
> > > >
> > > >> Hi Andrea,
> > > >> Thanks for the quick response. I am using an IAM role that has full
> > admin
> > > >> access. Which is why this case is even more perplexing. Do you have
> > any
> > > >> other suggestions to try out?
> > > >>
> > > >> Cheers
> > > >> Archana
> > > >>
> > > >> On 2018/06/20 21:45:31, archieprad@gmail.com <ar...@gmail.com>
> > > >> wrote:
> > > >> > Hi Ignasi,
> > > >> > So the function that does the authentication uses a context builder
> > and
> > > >> generates a temporary access and secret key. I've read that perhaps
> > Jclouds
> > > >> might not be sending the session token to access aws resources. Do you
> > > >> think that is what could be happening?
> > > >> >
> > > >> > Cheers,
> > > >> > Archana
> > > >> >
> > > >>
> > > >
> > >
> >
>
Re: Issue with jclouds computeService listNodes() ?
Posted by Ignasi Barrera <na...@apache.org>.
FTR, I'm not a user of the SimianArmy, but I've just opened a PR to add
support for temporary credentials:
https://github.com/Netflix/SimianArmy/pull/331
On 21 June 2018 at 10:14, archieprad@gmail.com <ar...@gmail.com> wrote:
> Hi Ignasi,
> Thank you! I will try this out and let you know if it worked.
>
> Cheers
> Archana
>
> On 2018/06/21 08:00:01, Ignasi Barrera <ig...@gmail.com> wrote:
> > Hi Archana,
> >
> > I see the problem here. When using temporary credentials in AWS, the
> > session token must be included in a request header [1], so you need to
> > provide it when configuring the jclouds context with the credentials.
> >
> > By default, the "ContextBuilder.credentials" signature does only allow to
> > pass the access key and secret key, but there is no place to specify that
> > session token. However, the ContextBuilder provides an alternate
> mechanism
> > to configure custom credentials. You can use the
> > "ContextBuilder.credentialsSupplier" method as follows:
> >
> > ContextBuilder.newBuilder("aws-ec2")
> > ...
> > .credentialsSupplier(new Supplier<Credentials>() {
> > @Override
> > public Credentials get() {
> > return SessionCredentials.builder()
> > .accessKeyId("temporary access key")
> > .secretAccessKey("temporary secret key")
> > .sessionToken("session token")
> > .expiration(new Date()) // Change to a proper value
> > .build();
> > }
> > })
> > ...
> >
> >
> >
> > Could you try this?
> >
> >
> > HTH!
> >
> > I.
> >
> >
> > [1]
> > https://docs.aws.amazon.com/AmazonS3/latest/dev/RESTAuthentication.html#
> UsingTemporarySecurityCredentials
> >
> >
> > On 21 June 2018 at 09:53, Andrea Turli <an...@gmail.com> wrote:
> >
> > > Mmm very interesting!
> > >
> > > The only thing that comes to my mind is:
> > > - is your account allowed to talk to all the regions? From the
> stacktrace
> > > above looks like
> > > org.jclouds.rest.AuthorizationException: POST https://ec2.us-east-1.
> > > amazonaws.com/ HTTP/1.1 -> HTTP/1.1 401 Unauthorized
> > > so maybe your account is not allowed to talk to that region. Can you
> > > confirm? if not you want to control which regions to target you can use
> > > `-Djclouds.regions: "us-west-1" in case you want to limit to Oregon.
> > >
> > > HTH,
> > > Andrea
> > >
> > > On Thu, Jun 21, 2018 at 9:45 AM archieprad@gmail.com <
> archieprad@gmail.com>
> > > wrote:
> > >
> > >> Hi Andrea,
> > >> Thanks for the quick response. I am using an IAM role that has full
> admin
> > >> access. Which is why this case is even more perplexing. Do you have
> any
> > >> other suggestions to try out?
> > >>
> > >> Cheers
> > >> Archana
> > >>
> > >> On 2018/06/20 21:45:31, archieprad@gmail.com <ar...@gmail.com>
> > >> wrote:
> > >> > Hi Ignasi,
> > >> > So the function that does the authentication uses a context builder
> and
> > >> generates a temporary access and secret key. I've read that perhaps
> Jclouds
> > >> might not be sending the session token to access aws resources. Do you
> > >> think that is what could be happening?
> > >> >
> > >> > Cheers,
> > >> > Archana
> > >> >
> > >>
> > >
> >
>
Re: Issue with jclouds computeService listNodes() ?
Posted by ar...@gmail.com,
ar...@gmail.com.
Hi Ignasi,
Thank you! I will try this out and let you know if it worked.
Cheers
Archana
On 2018/06/21 08:00:01, Ignasi Barrera <ig...@gmail.com> wrote:
> Hi Archana,
>
> I see the problem here. When using temporary credentials in AWS, the
> session token must be included in a request header [1], so you need to
> provide it when configuring the jclouds context with the credentials.
>
> By default, the "ContextBuilder.credentials" signature does only allow to
> pass the access key and secret key, but there is no place to specify that
> session token. However, the ContextBuilder provides an alternate mechanism
> to configure custom credentials. You can use the
> "ContextBuilder.credentialsSupplier" method as follows:
>
> ContextBuilder.newBuilder("aws-ec2")
> ...
> .credentialsSupplier(new Supplier<Credentials>() {
> @Override
> public Credentials get() {
> return SessionCredentials.builder()
> .accessKeyId("temporary access key")
> .secretAccessKey("temporary secret key")
> .sessionToken("session token")
> .expiration(new Date()) // Change to a proper value
> .build();
> }
> })
> ...
>
>
>
> Could you try this?
>
>
> HTH!
>
> I.
>
>
> [1]
> https://docs.aws.amazon.com/AmazonS3/latest/dev/RESTAuthentication.html#UsingTemporarySecurityCredentials
>
>
> On 21 June 2018 at 09:53, Andrea Turli <an...@gmail.com> wrote:
>
> > Mmm very interesting!
> >
> > The only thing that comes to my mind is:
> > - is your account allowed to talk to all the regions? From the stacktrace
> > above looks like
> > org.jclouds.rest.AuthorizationException: POST https://ec2.us-east-1.
> > amazonaws.com/ HTTP/1.1 -> HTTP/1.1 401 Unauthorized
> > so maybe your account is not allowed to talk to that region. Can you
> > confirm? if not you want to control which regions to target you can use
> > `-Djclouds.regions: "us-west-1" in case you want to limit to Oregon.
> >
> > HTH,
> > Andrea
> >
> > On Thu, Jun 21, 2018 at 9:45 AM archieprad@gmail.com <ar...@gmail.com>
> > wrote:
> >
> >> Hi Andrea,
> >> Thanks for the quick response. I am using an IAM role that has full admin
> >> access. Which is why this case is even more perplexing. Do you have any
> >> other suggestions to try out?
> >>
> >> Cheers
> >> Archana
> >>
> >> On 2018/06/20 21:45:31, archieprad@gmail.com <ar...@gmail.com>
> >> wrote:
> >> > Hi Ignasi,
> >> > So the function that does the authentication uses a context builder and
> >> generates a temporary access and secret key. I've read that perhaps Jclouds
> >> might not be sending the session token to access aws resources. Do you
> >> think that is what could be happening?
> >> >
> >> > Cheers,
> >> > Archana
> >> >
> >>
> >
>
Re: Issue with jclouds computeService listNodes() ?
Posted by Ignasi Barrera <ig...@gmail.com>.
Hi Archana,
I see the problem here. When using temporary credentials in AWS, the
session token must be included in a request header [1], so you need to
provide it when configuring the jclouds context with the credentials.
By default, the "ContextBuilder.credentials" signature does only allow to
pass the access key and secret key, but there is no place to specify that
session token. However, the ContextBuilder provides an alternate mechanism
to configure custom credentials. You can use the
"ContextBuilder.credentialsSupplier" method as follows:
ContextBuilder.newBuilder("aws-ec2")
...
.credentialsSupplier(new Supplier<Credentials>() {
@Override
public Credentials get() {
return SessionCredentials.builder()
.accessKeyId("temporary access key")
.secretAccessKey("temporary secret key")
.sessionToken("session token")
.expiration(new Date()) // Change to a proper value
.build();
}
})
...
Could you try this?
HTH!
I.
[1]
https://docs.aws.amazon.com/AmazonS3/latest/dev/RESTAuthentication.html#UsingTemporarySecurityCredentials
On 21 June 2018 at 09:53, Andrea Turli <an...@gmail.com> wrote:
> Mmm very interesting!
>
> The only thing that comes to my mind is:
> - is your account allowed to talk to all the regions? From the stacktrace
> above looks like
> org.jclouds.rest.AuthorizationException: POST https://ec2.us-east-1.
> amazonaws.com/ HTTP/1.1 -> HTTP/1.1 401 Unauthorized
> so maybe your account is not allowed to talk to that region. Can you
> confirm? if not you want to control which regions to target you can use
> `-Djclouds.regions: "us-west-1" in case you want to limit to Oregon.
>
> HTH,
> Andrea
>
> On Thu, Jun 21, 2018 at 9:45 AM archieprad@gmail.com <ar...@gmail.com>
> wrote:
>
>> Hi Andrea,
>> Thanks for the quick response. I am using an IAM role that has full admin
>> access. Which is why this case is even more perplexing. Do you have any
>> other suggestions to try out?
>>
>> Cheers
>> Archana
>>
>> On 2018/06/20 21:45:31, archieprad@gmail.com <ar...@gmail.com>
>> wrote:
>> > Hi Ignasi,
>> > So the function that does the authentication uses a context builder and
>> generates a temporary access and secret key. I've read that perhaps Jclouds
>> might not be sending the session token to access aws resources. Do you
>> think that is what could be happening?
>> >
>> > Cheers,
>> > Archana
>> >
>>
>
Re: Issue with jclouds computeService listNodes() ?
Posted by Andrea Turli <an...@gmail.com>.
Mmm very interesting!
The only thing that comes to my mind is:
- is your account allowed to talk to all the regions? From the stacktrace
above looks like
org.jclouds.rest.AuthorizationException: POST
https://ec2.us-east-1.amazonaws.com/ HTTP/1.1 -> HTTP/1.1 401 Unauthorized
so maybe your account is not allowed to talk to that region. Can you
confirm? if not you want to control which regions to target you can use
`-Djclouds.regions: "us-west-1" in case you want to limit to Oregon.
HTH,
Andrea
On Thu, Jun 21, 2018 at 9:45 AM archieprad@gmail.com <ar...@gmail.com>
wrote:
> Hi Andrea,
> Thanks for the quick response. I am using an IAM role that has full admin
> access. Which is why this case is even more perplexing. Do you have any
> other suggestions to try out?
>
> Cheers
> Archana
>
> On 2018/06/20 21:45:31, archieprad@gmail.com <ar...@gmail.com>
> wrote:
> > Hi Ignasi,
> > So the function that does the authentication uses a context builder and
> generates a temporary access and secret key. I've read that perhaps Jclouds
> might not be sending the session token to access aws resources. Do you
> think that is what could be happening?
> >
> > Cheers,
> > Archana
> >
>
Re: Issue with jclouds computeService listNodes() ?
Posted by ar...@gmail.com,
ar...@gmail.com.
Hi Andrea,
Thanks for the quick response. I am using an IAM role that has full admin access. Which is why this case is even more perplexing. Do you have any other suggestions to try out?
Cheers
Archana
On 2018/06/20 21:45:31, archieprad@gmail.com <ar...@gmail.com> wrote:
> Hi Ignasi,
> So the function that does the authentication uses a context builder and generates a temporary access and secret key. I've read that perhaps Jclouds might not be sending the session token to access aws resources. Do you think that is what could be happening?
>
> Cheers,
> Archana
>
Re: Issue with jclouds computeService listNodes() ?
Posted by ar...@gmail.com,
ar...@gmail.com.
Hi Ignasi,
So the function that does the authentication uses a context builder and generates a temporary access and secret key. I've read that perhaps Jclouds might not be sending the session token to access aws resources. Do you think that is what could be happening?
Cheers,
Archana
Re: Issue with jclouds computeService listNodes() ?
Posted by Ignasi Barrera <ig...@gmail.com>.
Hi Archana,
There is no explicit support to pass the IAM role based authentication when
creating the jclouds context. It has to be created with the access and
secret key.
I don't know the internals of the simian army, but if you have access to
the instance metadata you could query it to get the access keys and then
build the jclodus context.
On 20 June 2018 at 09:30, archieprad@gmail.com <ar...@gmail.com> wrote:
> Hi Andrea,
> Thanks for the reply. I am somewhat new ( learning today) to Jclouds. But
> after facing this issue for the past 2 days and reading some blog posts, a
> lot of places say it might be an IAM role issue. Here is the stacktrace:
>
> 2018-06-18 03:52:56.701 - WARN ChaosInstance - [ChaosInstance.java:105]
> Error making SSH connection to instance
> org.jclouds.rest.AuthorizationException: POST https://ec2.us-east-1.
> amazonaws.com/ HTTP/1.1 -> HTTP/1.1 401 Unauthorized
> at org.jclouds.aws.handlers.ParseAWSErrorFromXmlContent.
> refineException(ParseAWSErrorFromXmlContent.java:122)
> at org.jclouds.aws.handlers.ParseAWSErrorFromXmlContent.
> handleError(ParseAWSErrorFromXmlContent.java:89)
> at org.jclouds.http.handlers.DelegatingErrorHandler.handleError(
> DelegatingErrorHandler.java:65)
> at org.jclouds.http.internal.BaseHttpCommandExecutorService
> .shouldContinue(BaseHttpCommandExecutorService.java:132)
> at org.jclouds.http.internal.BaseHttpCommandExecutorService
> .invoke(BaseHttpCommandExecutorService.java:101)
> at org.jclouds.rest.internal.InvokeHttpMethod.invoke(
> InvokeHttpMethod.java:90)
> at org.jclouds.rest.internal.InvokeHttpMethod.apply(
> InvokeHttpMethod.java:73)
> at org.jclouds.rest.internal.InvokeHttpMethod.apply(
> InvokeHttpMethod.java:44)
> at org.jclouds.reflect.FunctionalReflection$
> FunctionalInvocationHandler.handleInvocation(
> FunctionalReflection.java:117)
> at com.google.common.reflect.AbstractInvocationHandler.invoke(
> AbstractInvocationHandler.java:87)
> at com.sun.proxy.$Proxy174.describeRegions(Unknown Source)
> at org.jclouds.ec2.suppliers.DescribeRegionsForRegionURIs.get(
> DescribeRegionsForRegionURIs.java:50)
> at org.jclouds.ec2.suppliers.DescribeRegionsForRegionURIs.get(
> DescribeRegionsForRegionURIs.java:38)
> at org.jclouds.rest.suppliers.MemoizedRetryOnTimeOutButNotOn
> AuthorizationExceptionSupplier$SetAndThrowAuthorizationExcept
> ionSupplierBackedLoader.load(MemoizedRetryOnTimeOutButNotOn
> AuthorizationExceptionSupplier.java:73)
> at org.jclouds.rest.suppliers.MemoizedRetryOnTimeOutButNotOn
> AuthorizationExceptionSupplier$SetAndThrowAuthorizationExcept
> ionSupplierBackedLoader.load(MemoizedRetryOnTimeOutButNotOn
> AuthorizationExceptionSupplier.java:57)
> at com.google.common.cache.LocalCache$LoadingValueReference.
> loadFuture(LocalCache.java:3542)
> at com.google.common.cache.LocalCache$Segment.loadSync(
> LocalCache.java:2323)
> at com.google.common.cache.LocalCache$Segment.
> lockedGetOrLoad(LocalCache.java:2286)
> at com.google.common.cache.LocalCache$Segment.get(
> LocalCache.java:2201)
> at com.google.common.cache.LocalCache.get(LocalCache.java:3953)
> at com.google.common.cache.LocalCache.getOrLoad(
> LocalCache.java:3957)
> at com.google.common.cache.LocalCache$LocalLoadingCache.
> get(LocalCache.java:4875)
> at org.jclouds.rest.suppliers.MemoizedRetryOnTimeOutButNotOn
> AuthorizationExceptionSupplier.get(MemoizedRetryOnTimeOutButNotOn
> AuthorizationExceptionSupplier.java:119)
> at org.jclouds.location.suppliers.derived.
> RegionIdsFromRegionIdToURIKeySet.get(RegionIdsFromRegionIdToURIKeyS
> et.java:45)
> at org.jclouds.location.suppliers.derived.
> RegionIdsFromRegionIdToURIKeySet.get(RegionIdsFromRegionIdToURIKeyS
> et.java:33)
> at com.google.common.base.Suppliers$SupplierComposition.
> get(Suppliers.java:68)
> at org.jclouds.rest.suppliers.MemoizedRetryOnTimeOutButNotOn
> AuthorizationExceptionSupplier$SetAndThrowAuthorizationExcept
> ionSupplierBackedLoader.load(MemoizedRetryOnTimeOutButNotOn
> AuthorizationExceptionSupplier.java:73)
> at org.jclouds.rest.suppliers.MemoizedRetryOnTimeOutButNotOn
> AuthorizationExceptionSupplier$SetAndThrowAuthorizationExcept
> ionSupplierBackedLoader.load(MemoizedRetryOnTimeOutButNotOn
> AuthorizationExceptionSupplier.java:57)
> at com.google.common.cache.LocalCache$LoadingValueReference.
> loadFuture(LocalCache.java:3542)
> at com.google.common.cache.LocalCache$Segment.loadSync(
> LocalCache.java:2323)
> at com.google.common.cache.LocalCache$Segment.
> lockedGetOrLoad(LocalCache.java:2286)
> at com.google.common.cache.LocalCache$Segment.get(
> LocalCache.java:2201)
> at com.google.common.cache.LocalCache.get(LocalCache.java:3953)
> at com.google.common.cache.LocalCache.getOrLoad(
> LocalCache.java:3957)
> at com.google.common.cache.LocalCache$LocalLoadingCache.
> get(LocalCache.java:4875)
> at org.jclouds.rest.suppliers.MemoizedRetryOnTimeOutButNotOn
> AuthorizationExceptionSupplier.get(MemoizedRetryOnTimeOutButNotOn
> AuthorizationExceptionSupplier.java:119)
> at org.jclouds.aws.ec2.compute.strategy.AWSEC2ListNodesStrategy.
> pollRunningInstances(AWSEC2ListNodesStrategy.java:65)
> at org.jclouds.ec2.compute.strategy.EC2ListNodesStrategy.
> listDetailsOnNodesMatching(EC2ListNodesStrategy.java:107)
> at org.jclouds.ec2.compute.strategy.EC2ListNodesStrategy.
> listNodes(EC2ListNodesStrategy.java:86)
> at org.jclouds.ec2.compute.strategy.EC2ListNodesStrategy.
> listNodes(EC2ListNodesStrategy.java:58)
> at org.jclouds.compute.internal.BaseComputeService.listNodes(
> BaseComputeService.java:335)
> at com.netflix.simianarmy.client.aws.AWSClient.getJcloudsNode(
> AWSClient.java:910)
> at com.netflix.simianarmy.client.aws.AWSClient.connectSsh(
> AWSClient.java:888)
> at com.netflix.simianarmy.chaos.ChaosInstance.connectSsh(
> ChaosInstance.java:122)
> at com.netflix.simianarmy.chaos.ChaosInstance.canConnectSsh(
> ChaosInstance.java:101)
> at com.netflix.simianarmy.chaos.ScriptChaosType.canApply(
> ScriptChaosType.java:60)
> at com.netflix.simianarmy.basic.chaos.BasicChaosMonkey.
> pickChaosType(BasicChaosMonkey.java:141)
> at com.netflix.simianarmy.basic.chaos.BasicChaosMonkey.
> doMonkeyBusiness(BasicChaosMonkey.java:121)
> at com.netflix.simianarmy.Monkey.run(Monkey.java:134)
> at com.netflix.simianarmy.Monkey$1.run(Monkey.java:155)
> at java.util.concurrent.Executors$RunnableAdapter.
> call(Executors.java:511)
> at java.util.concurrent.FutureTask.runAndReset(
> FutureTask.java:308)
> at java.util.concurrent.ScheduledThreadPoolExecutor$
> ScheduledFutureTask.access$301(ScheduledThreadPoolExecutor.java:180)
> at java.util.concurrent.ScheduledThreadPoolExecutor$
> ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:294)
> at java.util.concurrent.ThreadPoolExecutor.runWorker(
> ThreadPoolExecutor.java:1149)
> at java.util.concurrent.ThreadPoolExecutor$Worker.run(
> ThreadPoolExecutor.java:624)
> at java.lang.Thread.run(Thread.java:748)
> Caused by: org.jclouds.http.HttpResponseException: request: POST
> https://ec2.us-east-1.amazonaws.com/ HTTP/1.1 [Action=DescribeRegions]
> failed with response: HTTP/1.1 401 Unauthorized
> at org.jclouds.aws.handlers.ParseAWSErrorFromXmlContent.
> handleError(ParseAWSErrorFromXmlContent.java:63)
> ... 55 more
> 2018-06-18 03:52:56.742 - WARN ScriptChaosType -
> [ScriptChaosType.java:61] Strategy disabled because SSH credentials failed
>
Re: Issue with jclouds computeService listNodes() ?
Posted by ar...@gmail.com,
ar...@gmail.com.
Hi Andrea,
Thanks for the reply. I am somewhat new ( learning today) to Jclouds. But after facing this issue for the past 2 days and reading some blog posts, a lot of places say it might be an IAM role issue. Here is the stacktrace:
2018-06-18 03:52:56.701 - WARN ChaosInstance - [ChaosInstance.java:105] Error making SSH connection to instance
org.jclouds.rest.AuthorizationException: POST https://ec2.us-east-1.amazonaws.com/ HTTP/1.1 -> HTTP/1.1 401 Unauthorized
at org.jclouds.aws.handlers.ParseAWSErrorFromXmlContent.refineException(ParseAWSErrorFromXmlContent.java:122)
at org.jclouds.aws.handlers.ParseAWSErrorFromXmlContent.handleError(ParseAWSErrorFromXmlContent.java:89)
at org.jclouds.http.handlers.DelegatingErrorHandler.handleError(DelegatingErrorHandler.java:65)
at org.jclouds.http.internal.BaseHttpCommandExecutorService.shouldContinue(BaseHttpCommandExecutorService.java:132)
at org.jclouds.http.internal.BaseHttpCommandExecutorService.invoke(BaseHttpCommandExecutorService.java:101)
at org.jclouds.rest.internal.InvokeHttpMethod.invoke(InvokeHttpMethod.java:90)
at org.jclouds.rest.internal.InvokeHttpMethod.apply(InvokeHttpMethod.java:73)
at org.jclouds.rest.internal.InvokeHttpMethod.apply(InvokeHttpMethod.java:44)
at org.jclouds.reflect.FunctionalReflection$FunctionalInvocationHandler.handleInvocation(FunctionalReflection.java:117)
at com.google.common.reflect.AbstractInvocationHandler.invoke(AbstractInvocationHandler.java:87)
at com.sun.proxy.$Proxy174.describeRegions(Unknown Source)
at org.jclouds.ec2.suppliers.DescribeRegionsForRegionURIs.get(DescribeRegionsForRegionURIs.java:50)
at org.jclouds.ec2.suppliers.DescribeRegionsForRegionURIs.get(DescribeRegionsForRegionURIs.java:38)
at org.jclouds.rest.suppliers.MemoizedRetryOnTimeOutButNotOnAuthorizationExceptionSupplier$SetAndThrowAuthorizationExceptionSupplierBackedLoader.load(MemoizedRetryOnTimeOutButNotOnAuthorizationExceptionSupplier.java:73)
at org.jclouds.rest.suppliers.MemoizedRetryOnTimeOutButNotOnAuthorizationExceptionSupplier$SetAndThrowAuthorizationExceptionSupplierBackedLoader.load(MemoizedRetryOnTimeOutButNotOnAuthorizationExceptionSupplier.java:57)
at com.google.common.cache.LocalCache$LoadingValueReference.loadFuture(LocalCache.java:3542)
at com.google.common.cache.LocalCache$Segment.loadSync(LocalCache.java:2323)
at com.google.common.cache.LocalCache$Segment.lockedGetOrLoad(LocalCache.java:2286)
at com.google.common.cache.LocalCache$Segment.get(LocalCache.java:2201)
at com.google.common.cache.LocalCache.get(LocalCache.java:3953)
at com.google.common.cache.LocalCache.getOrLoad(LocalCache.java:3957)
at com.google.common.cache.LocalCache$LocalLoadingCache.get(LocalCache.java:4875)
at org.jclouds.rest.suppliers.MemoizedRetryOnTimeOutButNotOnAuthorizationExceptionSupplier.get(MemoizedRetryOnTimeOutButNotOnAuthorizationExceptionSupplier.java:119)
at org.jclouds.location.suppliers.derived.RegionIdsFromRegionIdToURIKeySet.get(RegionIdsFromRegionIdToURIKeySet.java:45)
at org.jclouds.location.suppliers.derived.RegionIdsFromRegionIdToURIKeySet.get(RegionIdsFromRegionIdToURIKeySet.java:33)
at com.google.common.base.Suppliers$SupplierComposition.get(Suppliers.java:68)
at org.jclouds.rest.suppliers.MemoizedRetryOnTimeOutButNotOnAuthorizationExceptionSupplier$SetAndThrowAuthorizationExceptionSupplierBackedLoader.load(MemoizedRetryOnTimeOutButNotOnAuthorizationExceptionSupplier.java:73)
at org.jclouds.rest.suppliers.MemoizedRetryOnTimeOutButNotOnAuthorizationExceptionSupplier$SetAndThrowAuthorizationExceptionSupplierBackedLoader.load(MemoizedRetryOnTimeOutButNotOnAuthorizationExceptionSupplier.java:57)
at com.google.common.cache.LocalCache$LoadingValueReference.loadFuture(LocalCache.java:3542)
at com.google.common.cache.LocalCache$Segment.loadSync(LocalCache.java:2323)
at com.google.common.cache.LocalCache$Segment.lockedGetOrLoad(LocalCache.java:2286)
at com.google.common.cache.LocalCache$Segment.get(LocalCache.java:2201)
at com.google.common.cache.LocalCache.get(LocalCache.java:3953)
at com.google.common.cache.LocalCache.getOrLoad(LocalCache.java:3957)
at com.google.common.cache.LocalCache$LocalLoadingCache.get(LocalCache.java:4875)
at org.jclouds.rest.suppliers.MemoizedRetryOnTimeOutButNotOnAuthorizationExceptionSupplier.get(MemoizedRetryOnTimeOutButNotOnAuthorizationExceptionSupplier.java:119)
at org.jclouds.aws.ec2.compute.strategy.AWSEC2ListNodesStrategy.pollRunningInstances(AWSEC2ListNodesStrategy.java:65)
at org.jclouds.ec2.compute.strategy.EC2ListNodesStrategy.listDetailsOnNodesMatching(EC2ListNodesStrategy.java:107)
at org.jclouds.ec2.compute.strategy.EC2ListNodesStrategy.listNodes(EC2ListNodesStrategy.java:86)
at org.jclouds.ec2.compute.strategy.EC2ListNodesStrategy.listNodes(EC2ListNodesStrategy.java:58)
at org.jclouds.compute.internal.BaseComputeService.listNodes(BaseComputeService.java:335)
at com.netflix.simianarmy.client.aws.AWSClient.getJcloudsNode(AWSClient.java:910)
at com.netflix.simianarmy.client.aws.AWSClient.connectSsh(AWSClient.java:888)
at com.netflix.simianarmy.chaos.ChaosInstance.connectSsh(ChaosInstance.java:122)
at com.netflix.simianarmy.chaos.ChaosInstance.canConnectSsh(ChaosInstance.java:101)
at com.netflix.simianarmy.chaos.ScriptChaosType.canApply(ScriptChaosType.java:60)
at com.netflix.simianarmy.basic.chaos.BasicChaosMonkey.pickChaosType(BasicChaosMonkey.java:141)
at com.netflix.simianarmy.basic.chaos.BasicChaosMonkey.doMonkeyBusiness(BasicChaosMonkey.java:121)
at com.netflix.simianarmy.Monkey.run(Monkey.java:134)
at com.netflix.simianarmy.Monkey$1.run(Monkey.java:155)
at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)
at java.util.concurrent.FutureTask.runAndReset(FutureTask.java:308)
at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.access$301(ScheduledThreadPoolExecutor.java:180)
at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:294)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
at java.lang.Thread.run(Thread.java:748)
Caused by: org.jclouds.http.HttpResponseException: request: POST https://ec2.us-east-1.amazonaws.com/ HTTP/1.1 [Action=DescribeRegions] failed with response: HTTP/1.1 401 Unauthorized
at org.jclouds.aws.handlers.ParseAWSErrorFromXmlContent.handleError(ParseAWSErrorFromXmlContent.java:63)
... 55 more
2018-06-18 03:52:56.742 - WARN ScriptChaosType - [ScriptChaosType.java:61] Strategy disabled because SSH credentials failed
Re: Issue with jclouds computeService listNodes() ?
Posted by Andrea Turli <an...@gmail.com>.
Hi Archana,
I don't see any particular reason listNodes would behave differently when
using IAM role vs Access Key and Secret Key - Once the Ec2Api is configured
to use org.jclouds.aws.domain.SessionCredentials everything should just
work.
Is listNodes the only failing one? Can you share the stacktrace of a
failing call?
Could you double check listAssignableLocations() or listImages() with the
same IAM role? if they work, can it be related to weird IAM permissions?
HTH,
Andrea
On Wed, Jun 20, 2018 at 8:01 AM archieprad@gmail.com <ar...@gmail.com>
wrote:
> Hi All,
> I am trying to SSH from one EC2 instance into another using netflix's
> simian army. I am using IAM role instead of Access key and Secret key.
> Wondering if there is an issue with calling listNodes() when using IAM
> role. Any insight on this, or any workaround on the issue is helpful.
>
> Cheers
> Archana
>