0

Probably, the problem is in VPC/security groups/policies, what should I pay attention to?

The stack is as follows:

com.veracode.security.logging.SecureExceptionWrapper: AWS was not able to validate the provided access credentials (Service: AmazonEC2; Status Code: 401; Error Code: AuthFailure; Request ID: 6777ec95-8167-4311-b46e-e40ce7043034)
com.amazonaws.http.AmazonHttpClient$RequestExecutor.handleErrorResponse(AmazonHttpClient.java:1640)
com.amazonaws.http.AmazonHttpClient$RequestExecutor.executeOneRequest(AmazonHttpClient.java:1304)
com.amazonaws.http.AmazonHttpClient$RequestExecutor.executeHelper(AmazonHttpClient.java:1058)
com.amazonaws.http.AmazonHttpClient$RequestExecutor.doExecute(AmazonHttpClient.java:743)
com.amazonaws.http.AmazonHttpClient$RequestExecutor.executeWithTimer(AmazonHttpClient.java:717)
com.amazonaws.http.AmazonHttpClient$RequestExecutor.execute(AmazonHttpClient.java:699)
com.amazonaws.http.AmazonHttpClient$RequestExecutor.access$500(AmazonHttpClient.java:667)
com.amazonaws.http.AmazonHttpClient$RequestExecutionBuilderImpl.execute(AmazonHttpClient.java:649)
com.amazonaws.http.AmazonHttpClient.execute(AmazonHttpClient.java:513)
com.amazonaws.services.ec2.AmazonEC2Client.doInvoke(AmazonEC2Client.java:13611)
com.amazonaws.services.ec2.AmazonEC2Client.invoke(AmazonEC2Client.java:13587)
com.amazonaws.services.ec2.AmazonEC2Client.executeDescribeSubnets(AmazonEC2Client.java:8308)
com.amazonaws.services.ec2.AmazonEC2Client.describeSubnets(AmazonEC2Client.java:8284)
com.company.was.jobservice.utils.ec2.AmazonEC2ClientWrapper.describeSubnets(AmazonEC2ClientWrapper.java:112)

Also I check the policies, one of the policies is : { "Version": "2012-10-17", "Statement": [ { "Sid": "VisualEditor0", "Effect": "Allow", "Action": [ "ec2:Describe*", "ec2:CreateTags" ], "Resource": "*" } ] }

Will this policy cover describeSubnets?

Alex
  • 7,007
  • 18
  • 69
  • 114

1 Answers1

0

The problem doesn't seem to be linked to VPC or security groups.

You need to (1) correctly configure your credentials and (2) have the correct IAM policy to call describeSubnets, something like:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": [
        "ec2:DescribeSubnets"
      ],
      "Effect": "Allow",
      "Resource": "*"
    }
  ]
}

You might want to be more restrictive on the Resource field to narrow it to specific subnets.

jogold
  • 6,667
  • 23
  • 41
  • Added the policy - does it cover DescribeSubnets? – Alex Apr 22 '19 at 21:52
  • Yes, it does. Have a look at the credentials configuration and confirm that your are using the credentials of the user/role having the policy you are showing. – jogold Apr 22 '19 at 21:57
  • Also check your system time, as explained in https://stackoverflow.com/questions/27685288/aws-was-not-able-to-validate-the-provided-access-credentials – jogold Apr 22 '19 at 22:00