us-gov-west-1 中的 EC2 实例获得 'The security token included in the request is invalid'

EC2 instance in us-gov-west-1 getting 'The security token included in the request is invalid'

我在 us-gov-west-1 中有一个 m5a.large EC2 实例 (amazon linux 2),该实例附加了一个 IAM 角色。

虽然通过 ssh 连接到实例,但我可以毫无问题地使用 AWS cli(例如 aws s3 ls),即它从实例元数据中获取凭据。

我安装了 cloudwatch 日志代理并且 运行,但是没有日志发送到 cloudwatch。

/var/log/awslogs.log 中,出现以下错误。

2019-09-06 19:03:50,358 - cwlogs.push.publisher - WARNING - 11150 - Thread-17 - Caught exception: An error occurred (UnrecognizedClientException) when calling the PutLogEvents operation: The security token included in the request is invalid
2019-09-06 19:03:50,358 - cwlogs.threads - ERROR - 11150 - Thread-17 - Exception caught in <EventBatchPublisher(Thread-17, started daemon 140468490651392)>
Traceback (most recent call last):
  File "/usr/lib/python2.7/site-packages/cwlogs/threads.py", line 58, in run
    self._run()
  File "/usr/lib/python2.7/site-packages/cwlogs/push.py", line 1403, in _run
    self._publish_event_batch()
  File "/usr/lib/python2.7/site-packages/cwlogs/push.py", line 1210, in _publish_event_batch
    self.sequence_token = self._put_log_events(self.event_batch)
  File "/usr/lib/python2.7/site-packages/cwlogs/push.py", line 1248, in _put_log_events
    response = self.logs_service.put_log_events(**params)
  File "/usr/lib/python2.7/site-packages/botocore/client.py", line 357, in _api_call
    return self._make_api_call(operation_name, kwargs)
  File "/usr/lib/python2.7/site-packages/botocore/client.py", line 661, in _make_api_call
    raise error_class(parsed_response, operation_name)
UnrecognizedClientException: An error occurred (UnrecognizedClientException) when calling the PutLogEvents operation: The security token included in the request is invalid

奇怪。我检查了实例元数据,一切正常

$ date 
Fri Sep  6 19:06:40 UTC 2019
$ curl http://169.254.169.254/latest/meta-data/iam/security-credentials/my-role-name
{
  "Code" : "Success",
  "LastUpdated" : "2019-09-06T18:19:25Z",
  "Type" : "AWS-HMAC",
  "AccessKeyId" : "redacted",
  "SecretAccessKey" : "redacted",
  "Token" : "redacted",
  "Expiration" : "2019-09-07T00:55:24Z"
}

还有什么我应该检查以更好地理解为什么 AWS 认为我有无效的安全令牌?

找到我的问题。

通过 yum (yum install awslogs) 安装 awslogs 时,它会在 /etc/awslogs 中创建一个目录,其中包含一个名为 awscli.conf

的配置文件

该文件中的默认配置是(如 documentation 中所述)

[plugins]
cwlogs = cwlogs
[default]
region = us-east-1

通过将该区域更新为 us-gov-west-1,日志将发送到 cloudwatch。

所以我为 /etc/awslogs/awscli.conf 更新的配置最终变成了

[plugins]
cwlogs = cwlogs
[default]
region = us-gov-west-1