us-gov-west-1 中的 EC2 实例获得 'The security token included in the request is invalid'
EC2 instance in us-gov-west-1 getting 'The security token included in the request is invalid'
我在 us-gov-west-1 中有一个 m5a.large EC2 实例 (amazon linux 2),该实例附加了一个 IAM 角色。
虽然通过 ssh 连接到实例,但我可以毫无问题地使用 AWS cli(例如 aws s3 ls),即它从实例元数据中获取凭据。
我安装了 cloudwatch 日志代理并且 运行,但是没有日志发送到 cloudwatch。
在 /var/log/awslogs.log 中,出现以下错误。
2019-09-06 19:03:50,358 - cwlogs.push.publisher - WARNING - 11150 - Thread-17 - Caught exception: An error occurred (UnrecognizedClientException) when calling the PutLogEvents operation: The security token included in the request is invalid
2019-09-06 19:03:50,358 - cwlogs.threads - ERROR - 11150 - Thread-17 - Exception caught in <EventBatchPublisher(Thread-17, started daemon 140468490651392)>
Traceback (most recent call last):
File "/usr/lib/python2.7/site-packages/cwlogs/threads.py", line 58, in run
self._run()
File "/usr/lib/python2.7/site-packages/cwlogs/push.py", line 1403, in _run
self._publish_event_batch()
File "/usr/lib/python2.7/site-packages/cwlogs/push.py", line 1210, in _publish_event_batch
self.sequence_token = self._put_log_events(self.event_batch)
File "/usr/lib/python2.7/site-packages/cwlogs/push.py", line 1248, in _put_log_events
response = self.logs_service.put_log_events(**params)
File "/usr/lib/python2.7/site-packages/botocore/client.py", line 357, in _api_call
return self._make_api_call(operation_name, kwargs)
File "/usr/lib/python2.7/site-packages/botocore/client.py", line 661, in _make_api_call
raise error_class(parsed_response, operation_name)
UnrecognizedClientException: An error occurred (UnrecognizedClientException) when calling the PutLogEvents operation: The security token included in the request is invalid
奇怪。我检查了实例元数据,一切正常
$ date
Fri Sep 6 19:06:40 UTC 2019
$ curl http://169.254.169.254/latest/meta-data/iam/security-credentials/my-role-name
{
"Code" : "Success",
"LastUpdated" : "2019-09-06T18:19:25Z",
"Type" : "AWS-HMAC",
"AccessKeyId" : "redacted",
"SecretAccessKey" : "redacted",
"Token" : "redacted",
"Expiration" : "2019-09-07T00:55:24Z"
}
还有什么我应该检查以更好地理解为什么 AWS 认为我有无效的安全令牌?
找到我的问题。
通过 yum (yum install awslogs) 安装 awslogs 时,它会在 /etc/awslogs 中创建一个目录,其中包含一个名为 awscli.conf
的配置文件
该文件中的默认配置是(如 documentation 中所述)
[plugins]
cwlogs = cwlogs
[default]
region = us-east-1
通过将该区域更新为 us-gov-west-1,日志将发送到 cloudwatch。
所以我为 /etc/awslogs/awscli.conf 更新的配置最终变成了
[plugins]
cwlogs = cwlogs
[default]
region = us-gov-west-1
我在 us-gov-west-1 中有一个 m5a.large EC2 实例 (amazon linux 2),该实例附加了一个 IAM 角色。
虽然通过 ssh 连接到实例,但我可以毫无问题地使用 AWS cli(例如 aws s3 ls),即它从实例元数据中获取凭据。
我安装了 cloudwatch 日志代理并且 运行,但是没有日志发送到 cloudwatch。
在 /var/log/awslogs.log 中,出现以下错误。
2019-09-06 19:03:50,358 - cwlogs.push.publisher - WARNING - 11150 - Thread-17 - Caught exception: An error occurred (UnrecognizedClientException) when calling the PutLogEvents operation: The security token included in the request is invalid
2019-09-06 19:03:50,358 - cwlogs.threads - ERROR - 11150 - Thread-17 - Exception caught in <EventBatchPublisher(Thread-17, started daemon 140468490651392)>
Traceback (most recent call last):
File "/usr/lib/python2.7/site-packages/cwlogs/threads.py", line 58, in run
self._run()
File "/usr/lib/python2.7/site-packages/cwlogs/push.py", line 1403, in _run
self._publish_event_batch()
File "/usr/lib/python2.7/site-packages/cwlogs/push.py", line 1210, in _publish_event_batch
self.sequence_token = self._put_log_events(self.event_batch)
File "/usr/lib/python2.7/site-packages/cwlogs/push.py", line 1248, in _put_log_events
response = self.logs_service.put_log_events(**params)
File "/usr/lib/python2.7/site-packages/botocore/client.py", line 357, in _api_call
return self._make_api_call(operation_name, kwargs)
File "/usr/lib/python2.7/site-packages/botocore/client.py", line 661, in _make_api_call
raise error_class(parsed_response, operation_name)
UnrecognizedClientException: An error occurred (UnrecognizedClientException) when calling the PutLogEvents operation: The security token included in the request is invalid
奇怪。我检查了实例元数据,一切正常
$ date
Fri Sep 6 19:06:40 UTC 2019
$ curl http://169.254.169.254/latest/meta-data/iam/security-credentials/my-role-name
{
"Code" : "Success",
"LastUpdated" : "2019-09-06T18:19:25Z",
"Type" : "AWS-HMAC",
"AccessKeyId" : "redacted",
"SecretAccessKey" : "redacted",
"Token" : "redacted",
"Expiration" : "2019-09-07T00:55:24Z"
}
还有什么我应该检查以更好地理解为什么 AWS 认为我有无效的安全令牌?
找到我的问题。
通过 yum (yum install awslogs) 安装 awslogs 时,它会在 /etc/awslogs 中创建一个目录,其中包含一个名为 awscli.conf
该文件中的默认配置是(如 documentation 中所述)
[plugins]
cwlogs = cwlogs
[default]
region = us-east-1
通过将该区域更新为 us-gov-west-1,日志将发送到 cloudwatch。
所以我为 /etc/awslogs/awscli.conf 更新的配置最终变成了
[plugins]
cwlogs = cwlogs
[default]
region = us-gov-west-1