Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

AWS Powershell commands fail with AssumeRole error #169

Open
rpatrick00 opened this issue Aug 4, 2020 · 11 comments
Open

AWS Powershell commands fail with AssumeRole error #169

rpatrick00 opened this issue Aug 4, 2020 · 11 comments
Labels
bug This issue is a bug. module/powershell-cmdlets p2 This is a standard priority issue queued v5

Comments

@rpatrick00
Copy link

rpatrick00 commented Aug 4, 2020
edited
Loading

Since my company uses subaccounts, I have set up the required profiles and credentials in my %USERPROFILE%\.aws directory. These are working fine with the aws cli commands:

    C:\>aws ec2 describe-instances --profile ody-gov-engineer
    {
        "Reservations": []
    }

    C:\>

Unfortunately, the PowerShell commands are failing with an error:

    PS C:\> Get-AWSCredential -ListProfileDetail

    ProfileName      StoreTypeName         ProfileLocation
    -----------      -------------         ---------------
    default          SharedCredentialsFile C:\Users\robert.h.patrick\.aws\credentials
    govcloud         SharedCredentialsFile C:\Users\robert.h.patrick\.aws\credentials
    ody-gov-engineer SharedCredentialsFile C:\Users\robert.h.patrick\.aws\credentials

    PS C:\> Set-AWSCredential -ProfileName ody-gov-engineer
    PS C:\> Get-EC2Instance
    Get-EC2Instance : Error calling AssumeRole for role arn:aws-us-gov:iam::############:role/Sandbox_Administrator
    At line:1 char:1
    + Get-EC2Instance
    + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
        + CategoryInfo          : InvalidOperation: (Amazon.PowerShe...2InstanceCmdlet:GetEC2InstanceCmdlet) [Get-EC2Instance], InvalidOperationException
        + FullyQualifiedErrorId : Amazon.Runtime.AmazonClientException,Amazon.PowerShell.Cmdlets.EC2.GetEC2InstanceCmdlet

    PS C:\>

Surely I am just doing something wrong...Any idea on how to make this work properly?
@ashishdhingra ashishdhingra added guidance Question that needs advice or information. module/powershell-cmdlets labels Aug 4, 2020
@ashishdhingra
Copy link
Contributor

ashishdhingra commented Aug 4, 2020
edited
Loading

Hi @rpatrick00,

Good afternoon.

At first glance this appears to be an IAM policy issue.

Could you please try using -ProfileName argument to see if it works. For example,

Get-EC2Instance -ProfileName ode-gov-engineer

Also try checking the information provided at Troubleshooting IAM Assume Role Errors and see if setting up the Trust policy helps.

Thanks,
Ashish

@rpatrick00
Copy link
Author

Will do. If it wasn’t clear, please note that the same credentials/profile works fine with the AWS CLI on the same machine/user so I am somewhat skeptical this has anything to do with the policy.

@rpatrick00
Copy link
Author

rpatrick00 commented Aug 5, 2020
edited
Loading

Hi @ashishdhingra,

So I read the troubleshooting article and am convinced that the policy is correct. When I log into the AWS Console and Switch Roles into the role, it works. As I showed before, the python-based AWS CLI is also working. Just for reference, the policy associated with my IAM user in the master account is:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": "sts:AssumeRole",
            "Resource": [
                "arn:aws-us-gov:iam::XXXXXXXXXXXX:role/Sandbox_Administrator"
            ],
            "Effect": "Allow",
            "Sid": "OdysseyDev"
        }
    ]
}

My ~\.aws\config file looks like this:

[default]
region = us-east-1

[govcloud]
region = us-gov-west-1

[profile ody-gov-engineer]
role_arn = arn:aws-us-gov:iam::XXXXXXXXXXXX:role/Sandbox_Administrator
source_profile = govcloud
region = us-gov-west-1

and my ~\.aws\credentials file looks like this:

[default]
aws_access_key_id = <redacted>
aws_secret_access_key = <redacted>

[govcloud]
aws_access_key_id = <redacted>
aws_secret_access_key = <redacted>

I created an EC2 instance with the console just to show that the AWS CLI is working and the AWS Powershell API is not. Adding the -ProfileName to Get-EC2Instance did not change the error.

PS C:\> aws ec2 describe-instances --profile ody-gov-engineer
{
    "Reservations": [
        {
            "Groups": [],
            "Instances": [
                {
                    "AmiLaunchIndex": 0,
                    "ImageId": "ami-5f58733e",
                    "InstanceId": "i-064ee401d59a5c936",
                    "InstanceType": "t3a.large",
                    "KeyName": "snaplex-devops-key",
                    "LaunchTime": "2020-08-05T17:27:03+00:00",
                    "Monitoring": {
                        "State": "disabled"
                    },
                    "Placement": {
                        "AvailabilityZone": "us-gov-west-1a",
                        "GroupName": "",
                        "Tenancy": "default"
                    },
                    "PrivateDnsName": "ip-172-31-38-85.us-gov-west-1.compute.internal",
                    "PrivateIpAddress": "172.31.38.85",
                    "ProductCodes": [
                        {
                            "ProductCodeId": "39xl0mwguh2jvvy43omu43m66",
                            "ProductCodeType": "marketplace"
                        }
                    ],
                    "PublicDnsName": "ec2-###-###-###-###.us-gov-west-1.compute.amazonaws.com",
                    "PublicIpAddress": "###.###.###.###",
                    "State": {
                        "Code": 16,
                        "Name": "running"
                    },
                    "StateTransitionReason": "",
                    "SubnetId": "subnet-344f8e7d",
                    "VpcId": "vpc-2730d740",
                    "Architecture": "x86_64",
                    "BlockDeviceMappings": [
                        {
                            "DeviceName": "/dev/xvda",
                            "Ebs": {
                                "AttachTime": "2020-08-05T17:27:04+00:00",
                                "DeleteOnTermination": true,
                                "Status": "attached",
                                "VolumeId": "vol-0fa5dbc2ed2cfd63e"
                            }
                        }
                    ],
                    "ClientToken": "##################",
                    "EbsOptimized": true,
                    "EnaSupport": true,
                    "Hypervisor": "xen",
                    "NetworkInterfaces": [
                        {
                            "Association": {
                                "IpOwnerId": "amazon",
                                "PublicDnsName": "ec2-###-###-###-###.us-gov-west-1.compute.amazonaws.com",
                                "PublicIp": "###.###.###.###"
                            },
                            "Attachment": {
                                "AttachTime": "2020-08-05T17:27:03+00:00",
                                "AttachmentId": "eni-attach-0f358c95713644f71",
                                "DeleteOnTermination": true,
                                "DeviceIndex": 0,
                                "Status": "attached"
                            },
                            "Description": "Primary network interface",
                            "Groups": [
                                {
                                    "GroupName": "snaplex-security-group",
                                    "GroupId": "sg-0ca05c3e52f022675"
                                }
                            ],
                            "Ipv6Addresses": [],
                            "MacAddress": "06:8e:1c:05:fb:38",
                            "NetworkInterfaceId": "eni-0eaa0e71b19e7271f",
                            "OwnerId": "############",
                            "PrivateDnsName": "ip-172-31-38-85.us-gov-west-1.compute.internal",
                            "PrivateIpAddress": "172.31.38.85",
                            "PrivateIpAddresses": [
                                {
                                    "Association": {
                                        "IpOwnerId": "amazon",
                                        "PublicDnsName": "ec2-###-###-###-###.us-gov-west-1.compute.amazonaws.com",
                                        "PublicIp": "###.###.###.###"
                                    },
                                    "Primary": true,
                                    "PrivateDnsName": "ip-172-31-38-85.us-gov-west-1.compute.internal",
                                    "PrivateIpAddress": "172.31.38.85"
                                }
                            ],
                            "SourceDestCheck": true,
                            "Status": "in-use",
                            "SubnetId": "subnet-344f8e7d",
                            "VpcId": "vpc-2730d740",
                            "InterfaceType": "interface"
                        }
                    ],
                    "RootDeviceName": "/dev/xvda",
                    "RootDeviceType": "ebs",
                    "SecurityGroups": [
                        {
                            "GroupName": "snaplex-security-group",
                            "GroupId": "sg-0ca05c3e52f022675"
                        }
                    ],
                    "SourceDestCheck": true,
                    "Tags": [
                        {
                            "Key": "Name",
                            "Value": "Snaplex1"
                        }
                    ],
                    "VirtualizationType": "hvm",
                    "CpuOptions": {
                        "CoreCount": 1,
                        "ThreadsPerCore": 2
                    },
                    "CapacityReservationSpecification": {
                        "CapacityReservationPreference": "open"
                    },
                    "HibernationOptions": {
                        "Configured": false
                    },
                    "MetadataOptions": {
                        "State": "applied",
                        "HttpTokens": "optional",
                        "HttpPutResponseHopLimit": 1,
                        "HttpEndpoint": "enabled"
                    }
                }
            ],
            "OwnerId": "XXXXXXXXXXXX",
            "ReservationId": "r-054f74e1e9a6d9adc"
        }
    ]
}

PS C:\> Get-AWSCredential -ListProfileDetail

ProfileName      StoreTypeName         ProfileLocation
-----------      -------------         ---------------
default          SharedCredentialsFile C:\Users\robert.h.patrick\.aws\credentials
govcloud         SharedCredentialsFile C:\Users\robert.h.patrick\.aws\credentials
ody-gov-engineer SharedCredentialsFile C:\Users\robert.h.patrick\.aws\credentials


PS C:\> Set-AWSCredential -ProfileName ody-gov-engineer
PS C:\> get-EC2Instance -ProfileName ody-gov-engineer
get-EC2Instance : Error calling AssumeRole for role arn:aws-us-gov:iam::XXXXXXXXXXXX:role/Sandbox_Administrator
At line:1 char:1
+ get-EC2Instance -ProfileName ody-gov-engineer
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidOperation: (Amazon.PowerShe...2InstanceCmdlet:GetEC2InstanceCmdlet) [Get-EC2Insta
   nce], InvalidOperationException
    + FullyQualifiedErrorId : Amazon.Runtime.AmazonClientException,Amazon.PowerShell.Cmdlets.EC2.GetEC2InstanceCmdlet

PS C:\>

Other Powershell commands are failing with the same AssumeRole error while all AWS CLI commands are working in the same Powershell session.

@rpatrick00
Copy link
Author

@ashishdhingra

In experimenting with the Use-STSRole cmdlet using the profile, I cannot point at the ody-gov-cloud profile and get it to work. I get the same AssumeRole error.

PS C:\> Use-STSRole -ProfileName ody-gov-engineer -RoleSessionName "OdysseyDev"                                         Use-STSRole : Error calling AssumeRole for role arn:aws-us-gov:iam::XXXXXXXXXXXX:role/Sandbox_Administrator
At line:1 char:1
+ Use-STSRole -ProfileName ody-gov-engineer -RoleSessionName "OdysseyDe ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidOperation: (Amazon.PowerShe...seSTSRoleCmdlet:UseSTSRoleCmdlet) [Use-STSRole], In
   validOperationException
    + FullyQualifiedErrorId : Amazon.Runtime.AmazonClientException,Amazon.PowerShell.Cmdlets.STS.UseSTSRoleCmdlet

PS C:\> Use-STSRole -ProfileName ody-gov-engineer -RoleSessionName "OdysseyDev" -Region us-gov-west-1
Use-STSRole : Error calling AssumeRole for role arn:aws-us-gov:iam::XXXXXXXXXXXX:role/Sandbox_Administrator
At line:1 char:1
+ Use-STSRole -ProfileName ody-gov-engineer -RoleSessionName "OdysseyDe ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidOperation: (Amazon.PowerShe...seSTSRoleCmdlet:UseSTSRoleCmdlet) [Use-STSRole], In
   validOperationException
    + FullyQualifiedErrorId : Amazon.Runtime.AmazonClientException,Amazon.PowerShell.Cmdlets.STS.UseSTSRoleCmdlet

PS C:\> Use-STSRole -ProfileName ody-gov-engineer -RoleSessionName "OdysseyDev" -Region us-gov-west-1 -RoleArn "arn:aws-us-gov:iam::XXXXXXXXXXXX:role/Sandbox_Administrator"
Use-STSRole : Error calling AssumeRole for role arn:aws-us-gov:iam::XXXXXXXXXXXX:role/Sandbox_Administrator
At line:1 char:1
+ Use-STSRole -ProfileName ody-gov-engineer -RoleSessionName "OdysseyDe ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidOperation: (Amazon.PowerShe...seSTSRoleCmdlet:UseSTSRoleCmdlet) [Use-STSRole], In
   validOperationException
    + FullyQualifiedErrorId : Amazon.Runtime.AmazonClientException,Amazon.PowerShell.Cmdlets.STS.UseSTSRoleCmdlet

PS C:\>

However, as soon as I point at the profile with only my credentials and pass the RoleArn and Region using command-line arguments, it seems to be happy.

PS C:\> Use-STSRole -ProfileName govcloud -RoleSessionName "OdysseyDev" -Region us-gov-west-1 -RoleArn "arn:aws-us-gov:iam::XXXXXXXXXXXX:role/Sandbox_Administrator"

AssumedRoleUser                            Credentials                            PackedPolicySize
---------------                            -----------                            ----------------
Amazon.SecurityToken.Model.AssumedRoleUser Amazon.SecurityToken.Model.Credentials 0


PS C:\>

Unfortunately, when I try to use the credentials, requests to AWS are still failing:

PS C:\> Use-STSRole -ProfileName govcloud -RoleSessionName "OdysseyDev" -Region us-gov-west-1 -RoleArn "arn:aws-us-gov:iam::XXXXXXXXXXXX:role/Sandbox_Administrator"

AssumedRoleUser                            Credentials                            PackedPolicySize
---------------                            -----------                            ----------------
Amazon.SecurityToken.Model.AssumedRoleUser Amazon.SecurityToken.Model.Credentials 0


PS C:\> Get-EC2Instance
Get-EC2Instance : Error calling AssumeRole for role arn:aws-us-gov:iam::XXXXXXXXXXXX:role/Sandbox_Administrator
At line:1 char:1
+ Get-EC2Instance
+ ~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidOperation: (Amazon.PowerShe...2InstanceCmdlet:GetEC2InstanceCmdlet) [Get-EC2Insta
   nce], InvalidOperationException
    + FullyQualifiedErrorId : Amazon.Runtime.AmazonClientException,Amazon.PowerShell.Cmdlets.EC2.GetEC2InstanceCmdlet

PS C:\> Get-EC2Instance -Credential (Use-STSRole  -ProfileName govcloud -RoleSessionName "OdysseyDev" -Region us-gov-west-1 -RoleArn "arn:aws-us-gov:iam::XXXXXXXXXXXX:role/Sandbox_Administrator")
Get-EC2Instance : Cannot bind parameter 'Credential'. Cannot convert the
"Amazon.SecurityToken.Model.AssumeRoleResponse" value of type "Amazon.SecurityToken.Model.AssumeRoleResponse" to type
"Amazon.Runtime.AWSCredentials".
At line:1 char:29
+ ... -Credential (Use-STSRole  -ProfileName govcloud -RoleSessionName "Ody ...
+                 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidArgument: (:) [Get-EC2Instance], ParameterBindingException
    + FullyQualifiedErrorId : CannotConvertArgumentNoMessage,Amazon.PowerShell.Cmdlets.EC2.GetEC2InstanceCmdlet

PS C:\> Get-EC2Instance -Credential (Use-STSRole  -ProfileName govcloud -RoleSessionName "OdysseyDev" -Region us-gov-west-1 -RoleArn "arn:aws-us-gov:iam::XXXXXXXXXXXX:role/Sandbox_Administrator").Credentials
Get-EC2Instance : AWS was not able to validate the provided access credentials
At line:1 char:1
+ Get-EC2Instance -Credential (Use-STSRole  -ProfileName govcloud -Role ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidOperation: (Amazon.PowerShe...2InstanceCmdlet:GetEC2InstanceCmdlet) [Get-EC2Insta
   nce], InvalidOperationException
    + FullyQualifiedErrorId : Amazon.EC2.AmazonEC2Exception,Amazon.PowerShell.Cmdlets.EC2.GetEC2InstanceCmdlet

PS C:\>

Hopefully this helps to narrow down where the problem might be.

@ashishdhingra ashishdhingra added the bug This issue is a bug. label Aug 5, 2020
@ashishdhingra
Copy link
Contributor

Hi @rpatrick00,

Thanks for the detailed information. I have marked this as a bug (label). I will coordinate with developer to have a look at it and advise if something is missing, and keep you posted on the updates.

Thanks,
Ashish

@ashishdhingra ashishdhingra added p1 This is a high priority issue and removed guidance Question that needs advice or information. labels Sep 8, 2020
@ashishdhingra ashishdhingra added A and removed p1 This is a high priority issue labels Oct 2, 2020
@github-actions
Copy link

We have noticed this issue has not recieved attention in 1 year. We will close this issue for now. If you think this is in error, please feel free to comment and reopen the issue.

@github-actions github-actions bot added closing-soon This issue will automatically close in 4 days unless further comments are made. closed-for-staleness and removed closing-soon This issue will automatically close in 4 days unless further comments are made. labels Oct 23, 2021
@wdolek
Copy link

wdolek commented Nov 4, 2021

@ashishdhingra Facing the same issue:

  • aws-cli/2.3.3 ✔️ works fine using my default profile, when I pass --profile argument as well
  • AWS.Tools.* 4.1.15.0 👎 not working
> Get-S3Bucket -BucketName le-bucket
Get-S3Bucket: Error calling AssumeRole for role arn:aws:iam::***:role/***

I tried to supply cmdlet with -ProfileName parameter but without any result. What am I missing?

ganeshnj pushed a commit that referenced this issue Jan 5, 2022
@ashovlin
Update log4net dependency to 2.0.13 (#169)
b26bbde
@ashovlin ashovlin reopened this Mar 10, 2023
@ashovlin
Copy link
Member

ashovlin commented Mar 10, 2023
edited
Loading

(reopening, we have a new internal case related to this)

@ashovlin
Copy link
Member

When using a profile configured with assume role credentials in AWS Tools for PowerShell, I suspect that the STS call to assume the role is being sent to either the global or us-east-1 STS endpoint, which is not valid for GovCloud regions.

I'm able to work around this via the third line below, which directs the AssumeRole call directly, but we need to investigate why the PowerShell-specific methods of configuring the region are not being applied to the STS call.

Set-DefaultAWSRegion -Region us-gov-west-1
$env:AWS_STS_REGIONAL_ENDPOINTS = 'regional'
[Amazon.AWSConfigs]::AWSRegion = "us-gov-west-1"

@ashishdhingra ashishdhingra added p1 This is a high priority issue and removed needs-review labels Mar 10, 2023
@Jagadeesh-matamala
Copy link 

Get-EC2Instance -ProfileName

Please use below command let . we has same issue and after using this command let , we are able to run the script with out any issue.
Initialize-AWSDefaults -ProfileName

@Jagadeesh-matamala
Copy link

Please use below command let . we has same issue and after using this command let , we are able to run the script with out any issue.
Initialize-AWSDefaults -ProfileName

@ashishdhingra ashishdhingra removed the p1 This is a high priority issue label Jun 14, 2023
@ashishdhingra ashishdhingra added the p2 This is a standard priority issue label Jun 14, 2023
@bhoradc bhoradc added the v5 label Sep 20, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug This issue is a bug. module/powershell-cmdlets p2 This is a standard priority issue queued v5
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
7 participants
@wdolek @ashovlin @rpatrick00 @hunanniu @Jagadeesh-matamala @ashishdhingra @bhoradc