salt: v2015.8.0 fails ec2 deploy with 401: "AWS was not able to validate the provided access credentials"
A downgrade to 2015.5.5 confirms that this did work in the earlier release.
Profile:
haproxy-gateway:
extends: base-ec2-linux
private_key: /etc/salt/.ssh/staging-sshkey-proxy.pem
keyname: staging-sshkey-proxy.pem.pub
iam_profile: HAProxyRole
network_interfaces:
- DeviceIndex: 0
PrivateIpAddresses:
- Primary: True
AssociatePublicIpAddress: False
SubnetId: subnet-xxxxx
SecurityGroupId: sg-xxxxx
tag: {'Environment': 'staging', 'Role': 'proxy'}
Response:
[DEBUG ] Using EC2 endpoint: ec2.us-west-2.amazonaws.com
[DEBUG ] EC2 Request: https://ec2.us-west-2.amazonaws.com/
[INFO ] Starting new HTTPS connection (1): ec2.us-west-2.amazonaws.com
[DEBUG ] "GET /?Action=ModifyNetworkInterfaceAttribute&NetworkInterfaceId=eni-71970d17&Attachment.DeleteOnTermination=True&Attachment.AttachmentId=eni-attach-6f56f064&Version=2014-10-01 HTTP/1.1" 401 None
[DEBUG ] EC2 Response Status Code: 401
[ERROR ] EC2 Response Status Code and Error: [401 401 Client Error: Unauthorized] {'Errors': {'Error': {'Message': 'AWS was not able to validate the provided access credentials', 'Code': 'AuthFailure'}}, 'RequestID': '5ac5b0e1-09f2-4f03-9847-7b4936e77861'}
The deploy does continue and does create a running instance, albeit without a network interface.
About this issue
- Original URL
- State: closed
- Created 9 years ago
- Comments: 20 (20 by maintainers)
Commits related to this issue
- Issue #27121 - Attempt to fix missing credentials when modifying eni properties — committed to ruzarowski/salt by ruzarowski 9 years ago
- Issue #27121 - Remove leftover code comment — committed to ruzarowski/salt by ruzarowski 9 years ago
Your suggestion of salt-cloud -u solves the problem.
As has been sorted out #26699, my environment was also an upgrade from 2015.5.5, then a downgrade when encountering the error reported in #27121 and up and down. I’ve saved the /etc/salt directories that were created on each of those upgrades and none of them contain this required directory and script.
Thanks again for your help. Seems there should be an error generated if that script does not exist.