-
Notifications
You must be signed in to change notification settings - Fork 1.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Policy using resource: iam-policy recieves UnrecognizedClientException during dry-run in GovCloud #7610
Comments
which region specifically? this seems like an issue on the aws side, you probably want to inquire to aws support or your TAM. specifically we've already done the iam call, but then we're getting an error using the resource group tagging api with the same credentials. |
Us-gov-west-1. Is there a way to trace the calls made to AWS by cloud
custodian? It seems I don't even see a failed call in AWS/etc. in the
target account when this occurs.
…On Thu, Aug 4, 2022, 10:29 AM Kapil Thangavelu ***@***.***> wrote:
which region specifically? this seems like an issue on the aws side, you
probably want to inquire to aws support or your TAM. specifically we've
already done the iam call, but then we're getting an error using the
resource group tagging api with the same credentials.
—
Reply to this email directly, view it on GitHub
<#7610 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AAOSFGVTXMENKLEO4KXHNADVXPHTJANCNFSM55SSQ32A>
.
You are receiving this because you authored the thread.Message ID:
***@***.***>
|
regarding seeing api calls, the easiest is probably via the builtin aws sdk instrumentation capabilities, ie. an alternative, you can optionally enable X-ray tracing via the cli (--trace xray) but given this is a failure scenario its not clear if that's viable here. |
i typically use https://vector.dev with csm as a sink/log of calls here's the config file i use for vector, and then i just set the AWS_CSM* env vars up. [sources.aws_csm]
type = "socket"
address = "127.0.0.1:31000"
max_length = 102_400
mode = "udp"
[transforms.parse]
type = "remap"
inputs = [ "aws_csm" ]
source = """
. = parse_json!(.message)
del(.SessionToken)
"""
[transforms.filter]
type = "filter"
inputs = ["parse"]
condition = '.Type != "ApiCallAttempt" && .Service != "SSO"'
[sinks.console]
inputs = ["filter"]
type = "console"
encoding = "json"
|
I also want to add my experience, as I see this issue, but only with govcloud regions. Running custodian version Having a policy as simple as what's below, returns the same
The same user can run |
Describe the bug
I'm receiving an when running the policy outlined below in dry-run mode. It seems to go in successfully when run without dry-run, but I'm not sure if they actual policy is working or not.
This is occuring in AWS GovCloud so the issue might be specific to GovCloud regions.
What did you expect to happen?
dry-run works successfully. Policy works.
Cloud Provider
Amazon Web Services (AWS)
Cloud Custodian version and dependency information
Policy
Relevant log/traceback output
Extra information or context
No response
The text was updated successfully, but these errors were encountered: