I have setup IAM authenticator for the Conjur instance and when I try to authenticate to the webservice from the EC2 instance. I am getting 401 unauthorized error message. I have looked the $Conjururl/info and see that authenticator is enabled. I verified the policies and the I see that the role has permissions to read and authenticate to the webservice and read the secrets as well. I am trying to check what else needs to be checked and how to troubleshoot the issue. Thank you
The Audit log shows CONJ00002E Invalid credentials error message
Seeing the code on the client side would help with troubleshooting.
Also you can check audit events of the specific
Log into UI -> navigate to the
host -> scroll down to audit logs (Sometimes you can get more information from there)
Validating the host login on the client app is the same defined within policy helps me a lot also.
Hi @AndrewCopeland .
Thanks for quick response. I looked at it already and I am getting CONJ00002E Invalid credentials error message.
It looks like the correct host ID is being used and the authenticator is enabled.
Next thing I would do is validate the AWS Account Number and that the IAM role is actually assigned to the client EC2 instance.
I verified the IAM role assigned by looking at curl http://169.254.169.254/latest/meta-data/iam/info . I see the instanceprofileArn matching the role name and the account number looks accurate as well.
Do you think open a Support ticket would be best step to move forward from here?
The problem was the AWS Account ID specified in the
!host was not a valid AWS Account ID.
I think I will be adding a check into the library that will validate the AWS Account ID before attempting to authenticate.
@AndrewCopeland Thank you and appreciate all the Support. Hope this helps someone else
I also added a small check in the library to validate the account number provided is of the correct length. Hopefully this will help in the future. The code change can be found here: https://github.com/cyberark/conjur-authn-iam-client-python/commit/a60fcff901948b5fe7b0bb5666858328039df8ae
This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.