Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Kindly add permission troubleshooting tips #124

Open
holyjak opened this issue Mar 29, 2019 · 0 comments
Open

Kindly add permission troubleshooting tips #124

holyjak opened this issue Mar 29, 2019 · 0 comments
Labels
help wanted troubleshooting

Comments

@holyjak
Copy link

holyjak commented Mar 29, 2019

Hello! It would be awesome if the Readme could be extended with troubleshooting tips for permissions. I will provide two examples where I lost quite a while due to this.

Example 1: Bad keys

I have reused existing aws creds setup we had already for ECR

  aws-credentials: &aws-credentials
    aws_access_key_id:     ((dev-access-key))
    aws_secret_access_key: ((dev-secret-key))
    aws_session_token:     ((dev-session-token))
    region_name:       "eu-west-1"
# ...
  - name: builds-bucket
    type: s3
    source:
      bucket: my-bucket
      <<: *aws-credentials
      # ...

not noticing that S3 uses different keys. While get succeeded, put failed with

AccessDenied: Anonymous users cannot initiate multipart uploads. Please authenticate. status code: 403

Example 2: Missing token due to a typo

I fixed the keys but made a typo, forgetting a ):

  aws-credentials-s3: &aws-credentials-s3
    access_key_id:     ((dev-access-key))
    secret_access_key: ((dev-secret-key))
    session_token:     ((dev-session-token) # <----
    region_name:       "eu-west-1"

Not it failed with clear but for my puzzling

InvalidToken: The provided token is malformed or otherwise invalid. status code: 400

What would have helped me

I can fly -t myteam hijack -job=mypipeline/myjob and enter the S3 Docker for put but what next?

  • How can I see what credentials were supplied to the task? (in Don't hardcode AWS region #1 those would be empty, in Support S3 compatible / custom endpoint URL? #2 token would be ((dev-session-token) instead of the expected value) I do not have them since they come from Concourse variables (which I could likely look up in AWS Secrets Manager or where we have them), moreover I also need to see that they were passed correctly to the S3 resource
  • How can I manually check whether access to the bucket is allowed? I guess I could issue a few commands (which?) to install awscli and use that manually to try to upload - but again I'd need the credentials

Thank you!!!
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
help wanted troubleshooting
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@vito @holyjak