AWS IAM Authenticator failing to authenticate

Hello Community,

I have setup IAM authenticator for the Conjur instance and when I try to authenticate to the webservice from the EC2 instance. I am getting 401 unauthorized error message. I have looked the $Conjururl/info and see that authenticator is enabled. I verified the policies and the I see that the role has permissions to read and authenticate to the webservice and read the secrets as well. I am trying to check what else needs to be checked and how to troubleshoot the issue. Thank you

Error message

The Audit log shows CONJ00002E Invalid credentials error message

Hi sjohnkennedy,

Seeing the code on the client side would help with troubleshooting.

Also you can check audit events of the specific host:
Log into UI -> navigate to the host -> scroll down to audit logs (Sometimes you can get more information from there)

Validating the host login on the client app is the same defined within policy helps me a lot also.


Hi @AndrewCopeland .

Thanks for quick response. I looked at it already and I am getting CONJ00002E Invalid credentials error message.

It looks like the correct host ID is being used and the authenticator is enabled.
Next thing I would do is validate the AWS Account Number and that the IAM role is actually assigned to the client EC2 instance.



I verified the IAM role assigned by looking at curl . I see the instanceprofileArn matching the role name and the account number looks accurate as well.

Do you think open a Support ticket would be best step to move forward from here?

The problem was the AWS Account ID specified in the !host was not a valid AWS Account ID.

I think I will be adding a check into the library that will validate the AWS Account ID before attempting to authenticate.


@AndrewCopeland Thank you and appreciate all the Support. Hope this helps someone else :slight_smile:

I also added a small check in the library to validate the account number provided is of the correct length. Hopefully this will help in the future. The code change can be found here:

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.