Unable to load AWS credentials from any provider in the chain

323 views
Skip to first unread message

Bindu Madhavi V K

unread,
Aug 30, 2016, 4:29:18 PM8/30/16
to Simian Army Users
I have a created an IAM instance profile and trying to run Simian Army from a EC2 instance which is assuming this role. 
However i get the following error "Unable to load AWS credentials from any provider in the chain"

Where as its working when the secret key/access key are hard coded in client.properties file. Same is not working when i using role ARN.
can you please help debug the issue?

This is the exception i am getting :

2016-08-30 20:24:59.940 - WARN  SimpleDBRecorder - [SimpleDBRecorder.java:287] Error while trying to auto-create SimpleDB domain

com.amazonaws.AmazonClientException: Unable to load AWS credentials from any provider in the chain

Bindu Madhavi V K

unread,
Aug 30, 2016, 6:11:25 PM8/30/16
to Simian Army Users
Any help on this would be much appreciated

Ed Bukoski

unread,
Aug 30, 2016, 6:25:57 PM8/30/16
to Simian Army Users
I looked at the code and it looks OK, some parts of SimianArmy are a little weird about assume role but this should be fine.  We run our SimianArmy using assume role.

From my experience with assume role:

* make sure you set the simianarmy.client.aws.assumeRoleArn property
* if you are using instance profiles, make sure your instance profile can assume role into the role ARN

Another troubleshooting step is to try replicating the commands on the command line on the instance using the aws cli.  This will let you tease out if it is a SimianArmy issue or a permission issue.


--
You received this message because you are subscribed to the Google Groups "Simian Army Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to simianarmy-users+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Bindu Madhavi V K

unread,
Aug 30, 2016, 6:33:49 PM8/30/16
to Simian Army Users
Thanks for your response.
I am setting the following property:
simianarmy.client.aws.assumeRoleArn = arn:aws:iam::<ARN>:role/<Role Name>

AWS Cli commands are going through, so it means it is able to reach AWS. 

And one more point is this instance is behind proxy

Ed Bukoski

unread,
Aug 30, 2016, 7:05:35 PM8/30/16
to Simian Army Users
If you are using the latest code, you should see a message like this in the log:
  
   Using STSAssumeRoleSessionCredentialsProvider with assume role <your assumeRoleArn>
If you aren't seeing this there is a config issue.  If you do see this it is something else.


--

Bindu Madhavi

unread,
Aug 30, 2016, 8:10:44 PM8/30/16
to simianar...@googlegroups.com

Where do I find the logs


You received this message because you are subscribed to a topic in the Google Groups "Simian Army Users" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/simianarmy-users/uos_R6RYV4I/unsubscribe.
To unsubscribe from this group and all its topics, send an email to simianarmy-users+unsubscribe@googlegroups.com.

Bindu Madhavi V K

unread,
Aug 31, 2016, 1:10:03 AM8/31/16
to Simian Army Users
Where can i find the logs? not able to locate the log files


On Tuesday, August 30, 2016 at 4:05:35 PM UTC-7, Ed Bukoski wrote:
If you are using the latest code, you should see a message like this in the log:
  
   Using STSAssumeRoleSessionCredentialsProvider with assume role <your assumeRoleArn>
If you aren't seeing this there is a config issue.  If you do see this it is something else.

On Tue, Aug 30, 2016 at 3:33 PM, Bindu Madhavi V K <binduma...@gmail.com> wrote:
Thanks for your response.
I am setting the following property:
simianarmy.client.aws.assumeRoleArn = arn:aws:iam::<ARN>:role/<Role Name>

AWS Cli commands are going through, so it means it is able to reach AWS. 

And one more point is this instance is behind proxy

--
You received this message because you are subscribed to the Google Groups "Simian Army Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to simianarmy-use...@googlegroups.com.

Bindu Madhavi V K

unread,
Aug 31, 2016, 2:03:39 PM8/31/16
to Simian Army Users
Not finding the location of logs. can you please let me know where i can find them?

Ed Bukoski

unread,
Aug 31, 2016, 4:32:40 PM8/31/16
to Simian Army Users
Sorry I can't help you with that, log file location is going to specific to your OS, config, web server, etc.  

We run on Tomcat so SimianArmy log messages appear in catalina.out in the usual location.

To unsubscribe from this group and stop receiving emails from it, send an email to simianarmy-users+unsubscribe@googlegroups.com.

Bindu Madhavi V K

unread,
Sep 1, 2016, 4:17:14 PM9/1/16
to Simian Army Users
I am running it in linux box. Is there any config file where we specify the location of log files
Message has been deleted
Message has been deleted
Message has been deleted
Message has been deleted
Message has been deleted

Tariq Islam

unread,
Sep 7, 2016, 5:20:05 PM9/7/16
to Simian Army Users
Hi Ed,

Thanks for the help so far. I think where I'm having issues running SimianArmy is setting up the AWS role's policy correctly so that it can be assumed by the instance. Essentially this is what I have:
- I created a new role, CHAOS, that will be assigned to an EC2 instance. I want chaos to run with an assumed role.
- I added the needed policy for chaos (https://github.com/Netflix/SimianArmy/wiki/Quick-Start-Guide#setup-user-or-role-policies), but the additional policy to run chaos with assume role is where I am lost: "There is some additional set up required within AWS (the sts:AssumeRole action must be allowed on this role)" (https://github.com/Netflix/SimianArmy/wiki/Client-Settings#simianarmyclientawsassumerolearn)
- Since the instance itself is getting an instance role of CHAOS, any AWS API calls made from the CLI should pick up the instance role's permissions/keys. It seems to be working from the CLI (I can access the SDB created by chaos, for example), but it is not getting picked up by simianarmy (the property "simianarmy.client.aws.assumeRoleArn" does show that is it is picked up upon starting chaos). On a more theoretical point, why should the assume role action be needed on this role, since any program running on that EC2 instance should be able to get that role's API credentials as the EC2 instance itself has that role?

In essence, would you be able to share the AWS policy required to run SimianArmy with assume role? 

Thanks!

Tariq

Ed Bukoski

unread,
Sep 8, 2016, 3:55:02 PM9/8/16
to Simian Army Users
We launch our ASGs with an instance profile that has this policy:
{
    "Statement": [
        {
            "Action": [
                "sts:AssumeRole", 
                "sts:DecodeAuthorizationMessage"
            ], 
            "Effect": "Allow", 
            "Resource": [
                "arn:aws:iam::*:role/JanitorMonkey"
            ]
        }
    ]
}
The * in the Resource section is because we allow Janitor to assume role into multiple accounts.

We have the following in our properties:

simianarmy.client.aws.assumeRoleArn=arn:aws:iam::XXXXXX:role/JanitorMonkey

Where XXXXXX is the account number. The JanitorMonkey profile is: 

arn:aws:iam::XXXXXX:role/JanitorMonkey
{
    "Statement": [
        {
            "Action": [
                "ec2:deletevolume", 
                "ec2:deletesnapshot", 
                "ec2:deregisterimage", 
                "ec2:describeconversiontasks", 
                "ec2:describeexporttasks", 
                "ec2:describeimportsnapshottasks", 
                "ec2:describelicenses", 
                "ec2:describemovingaddresses", 
                "ec2:describenetworkinterfaceattribute", 
                "ec2:describespotdatafeedsubscription", 
                "ec2:describespotfleetinstances", 
                "ec2:describespotfleetrequesthistory", 
                "ec2:reportinstancestatus", 
                "ec2:resetinstanceattribute", 
                "ec2:resetsnapshotattribute", 
                "ec2:unmonitorinstances", 
                "ec2:terminateinstances", 
                "ses:sendemail", 
                 .....etc..... 
            ], 
            "Effect": "Allow", 
            "Resource": [
                "*"
            ]
        }
    ]
}

On Wed, Sep 7, 2016 at 9:57 AM, Tariq Islam <tisl...@gmail.com> wrote:
Hi Ed,

Thanks for the help so far. I think where I'm having issues running SimianArmy is setting up the AWS role's policy correctly so that it can be assumed by the instance. Essentially this is what I have:
- I created a new role, CHAOS, that will be assigned to an EC2 instance. I want chaos to run with an assumed role.
- I added the needed policy for chaos (https://github.com/Netflix/SimianArmy/wiki/Quick-Start-Guide#setup-user-or-role-policies), but the additional policy to run chaos with assume role is where I am lost: "There is some additional set up required within AWS (the sts:AssumeRole action must be allowed on this role)" (https://github.com/Netflix/SimianArmy/wiki/Client-Settings#simianarmyclientawsassumerolearn)
- Since the instance itself is getting an instance role of CHAOS, any AWS API calls made from the CLI should pick up the instance role's permissions/keys. It seems to be working from the CLI (I can access the SDB created by chaos, for example), but it is not getting picked up by simianarmy (the property "simianarmy.client.aws.assumeRoleArn" does show that is it is picked up upon starting chaos). On a more theoretical point, why should the assume role action be needed on this role, since any program running on that EC2 instance should be able to get that role's API credentials as the EC2 instance itself has that role?

In essence, would you be able to share the AWS policy required to run SimianArmy with assume role? 

Thanks!

Tariq
Reply all
Reply to author
Forward
0 new messages