We configured DAP and now testing the IAM Authenticator using Python example that is provided in Git https://github.com/cyberark/conjur-authn-iam-client-python

However it’s giving us the below error. The Webservice is configured and enabled. The policies are in place to provide access. Appreciate if someone can help to troubleshoot the issue.

Error:
COMPANY:host:461111111189/BURoleForDAPIAMAuthenticator failed to authenticate with authenticator authn-iam service COMPANY:webservice:conjur/authn-iam/eecdev: CONJ00018E Invalid or expired AWS headers: Timed out connecting to server

Hi vivekrautela,

So it looks like the request is going from the client to the conjur server (most likely a follower). When the follower attempts to authenticate the host IAM credentials it is receiving a Timed out connecting to sever. Where is the conjur instance the application is authenticating too deployed? Is it on-prem or in the AWS?

The conjur instance must have access to following URL:
https://sts.amazonaws.com/?Action=GetCallerIdentity&Version=2011-06-15

Does this error always occur? Or does it happen every now and then?

Regards,
Andrew

@AndrewCopeland We are able to generate the Header. Attached the conjue_api_key and the URL that it’s generating

{“host”: “sts.amazonaws.com”, “x-amz-date”: “20201210T173006Z”, “x-amz-security-token”: “IQoJb3JpZ2luX2VjEOL//////////wEaCXVzLWVhc3QtMSJHMEUCIQCpGAXtGd2iwGTRLIgwEpZ+PpfsRN+zzQFQKRgLlVzjwwIgUXxHBxfec6D4yDGHIUTHIYLYLIYLIYIIrdWCNOTzIKdPYqtAMIehAAGgw0NjQ5NDY4MjY0ODkiDPPSVfWgUZO9BhtMRiqRA0lhilyillUF8xSFhY23aempUDHLQyKEtXeWVlS9J1emr5Gtvbc7Ixv7RJqQBcsVIC8NBL3Xk4otIkJWPOtF/RqmLohnNQXFAZNYzmwPTcLE8vUwdAIxspHNVcGHgK0GnF2gGfqP7fuHiMkXOWzNH2VhCljzIJ7/71L2sjQSlgHTD/ZV3RPR+n+QVALTwxOGy0mPB8dWn3botxxmBoB5IuzxmiQc5g9VOZ1zD6D+v3ZwoKxgHK6VFvcSsBSPuJdMUDS8J/91UwGZG8IPfeTWUJwLHJe1UQg6aCor7rQ0vR1UfH1d/LDhVDUei1sLLLxCCnT9AoWyQABMLUp4lAWh9HERHIvAoxE0eWBQRlBogJjwFuIgF2REEPNXUUNApyTQc3wIfdxetMt6jADVGpwGF484OfvQits8noQsY4e+g9yOwucgJMHLYXtM2qQLS+lnK3rzOwM8Cy5t9V0w9OHRtf2isTZ0Opu5hLdFkFMhuR8WDw5zy2p3UK60PlLlJBsgtAIB+ST0k6jwm/J2aKKkAZOzd+II7CVpMJyvyf4FOusBX2oF9btvXT4M9BYNa/59MtKilJn0kx4Xdav+RaQe4hl//HjBfvu8aoNNfq5642xTk8KTkM8UTU6xgRLf7MggIyBFowZrUzhh9rpZEMpEwz7E3icrTqo+0JQfmzXM/N8pPnRwrC6i8Yjadn3QG8v4Dk+IjHfb4KuF1cVIL0xYndM3cC4vuUcwM/LdFqfrwplp9p4GWIuLPHjwVHC5tMtv19QqzJ66ByCra4tV8ED2EiDeQXNegBlkLDDN+8A4aL8nnxN4PDVEpa2M1SxMieEZz6Q5T7Msg2XnPa1Kx1IAnD4aMYvcl+KY/xcs2g==”, “x-amz-content-sha256”: “e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855”, “authorization”: “AWS4-HMAC-SHA256 Credential=ASIAWYQH5GHTK67RT4QIMBJDEJ/20201210/us-east-1/sts/aws4_request, SignedHeaders=host;x-amz-content-sha256;x-amz-date;x-amz-security-token, Signature=e260c639b1be4a6f309278a4d3eafc8c997b206c32c8ca5c34916661d0b4f756”}

https://stg-awsfollower.company.local/authn-iam/eecdev/Organization/host%2F468748876489%2FRoleForDAPIAMAuthenticator/authenticate

@AndrewCopeland we also tried Ruby example that’s given in the CyberArk docs but that’s giving the below error 404 Not Found (RestClient::NotFound)

Code:

require ‘conjur-api’
require ‘aws-sigv4’
require ‘aws-sdk’

request = Aws::Sigv4::Signer.new(
service: ‘sts’,
region: ‘us-east-1’,
credentials_provider: Aws::InstanceProfileCredentials.new
).sign_request(
http_method: ‘GET’,
url: ‘https://sts.amazonaws.com/?Action=GetCallerIdentity&Version=2011-06-15’
).headers

Conjur.configuration.account = ‘ABC’
Conjur.configuration.appliance_url = ‘https://stg-awsfollower.company.local/authn-iam/eecdev’
Conjur.configuration.cert_file = ‘./dev_conjur.pem’
Conjur.configuration.apply_cert_config!

conjur = Conjur::API.new_from_key ‘host/aws/46491234589:assumed-role/RoleForDAPIAMAuthenticator’, request.to_json
print conjur.token

Error:

[ec2-user@usaea1uapuesc05 ~]$ ruby test_iam.rb
Traceback (most recent call last):
13: from test_iam.rb:20:in <main>' 12: from /home/ec2-user/.gem/ruby/gems/conjur-api-5.3.4/lib/conjur/base.rb:155:in token’
11: from /home/ec2-user/.gem/ruby/gems/conjur-api-5.3.4/lib/conjur/base.rb:345:in refresh_token' 10: from /home/ec2-user/.gem/ruby/gems/conjur-api-5.3.4/lib/conjur/base.rb:223:in refresh_token’
9: from /home/ec2-user/.gem/ruby/gems/conjur-api-5.3.4/lib/conjur/api/authn.rb:65:in authenticate' 8: from /home/ec2-user/.gem/ruby/gems/rest-client-2.1.0/lib/restclient/resource.rb:69:in post’
7: from /home/ec2-user/.gem/ruby/gems/rest-client-2.1.0/lib/restclient/request.rb:63:in execute' 6: from /home/ec2-user/.gem/ruby/gems/rest-client-2.1.0/lib/restclient/request.rb:163:in execute’
5: from /home/ec2-user/.gem/ruby/gems/rest-client-2.1.0/lib/restclient/request.rb:727:in transmit' 4: from /opt/rh/rh-ruby25/root/usr/share/ruby/net/http.rb:910:in start’
3: from /home/ec2-user/.gem/ruby/gems/rest-client-2.1.0/lib/restclient/request.rb:743:in block in transmit' 2: from /home/ec2-user/.gem/ruby/gems/rest-client-2.1.0/lib/restclient/request.rb:836:in process_result’
1: from /home/ec2-user/.gem/ruby/gems/rest-client-2.1.0/lib/restclient/abstract_response.rb:129:in return!' /home/ec2-user/.gem/ruby/gems/rest-client-2.1.0/lib/restclient/abstract_response.rb:249:in exception_with_response’: 404 Not Found (RestClient::NotFound)

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.