AWS IAM Authenticator failing to authenticate

sjohnkennedy · October 26, 2020, 7:18pm

Hello Community,

I have setup IAM authenticator for the Conjur instance and when I try to authenticate to the webservice from the EC2 instance. I am getting 401 unauthorized error message. I have looked the $Conjururl/info and see that authenticator is enabled. I verified the policies and the I see that the role has permissions to read and authenticate to the webservice and read the secrets as well. I am trying to check what else needs to be checked and how to troubleshoot the issue. Thank you

Error message

The Audit log shows CONJ00002E Invalid credentials error message

AndrewCopeland · October 26, 2020, 7:24pm

Hi sjohnkennedy,

Seeing the code on the client side would help with troubleshooting.

Also you can check audit events of the specific host:
Log into UI -> navigate to the host -> scroll down to audit logs (Sometimes you can get more information from there)

Validating the host login on the client app is the same defined within policy helps me a lot also.

Thanks,
Andrew

sjohnkennedy · October 26, 2020, 7:30pm

Hi @AndrewCopeland .

Thanks for quick response. I looked at it already and I am getting CONJ00002E Invalid credentials error message.

AndrewCopeland · October 26, 2020, 8:20pm

It looks like the correct host ID is being used and the authenticator is enabled.
Next thing I would do is validate the AWS Account Number and that the IAM role is actually assigned to the client EC2 instance.

Thanks,
Andrew

sjohnkennedy · October 26, 2020, 9:59pm

@AndrewCopeland

I verified the IAM role assigned by looking at curl http://169.254.169.254/latest/meta-data/iam/info . I see the instanceprofileArn matching the role name and the account number looks accurate as well.

Do you think open a Support ticket would be best step to move forward from here?

AndrewCopeland · November 23, 2020, 5:45pm

The problem was the AWS Account ID specified in the !host was not a valid AWS Account ID.

I think I will be adding a check into the library that will validate the AWS Account ID before attempting to authenticate.

Thanks,
Andrew

sjohnkennedy · November 23, 2020, 6:00pm

@AndrewCopeland Thank you and appreciate all the Support. Hope this helps someone else

AndrewCopeland · November 23, 2020, 6:18pm

I also added a small check in the library to validate the account number provided is of the correct length. Hopefully this will help in the future. The code change can be found here: https://github.com/cyberark/conjur-authn-iam-client-python/commit/a60fcff901948b5fe7b0bb5666858328039df8ae

system · November 30, 2020, 6:18pm

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.