Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

S3 WebID auth failure error message improvement #1997

Open
gricey432 opened this issue Feb 14, 2023 · 4 comments
Open

S3 WebID auth failure error message improvement #1997

gricey432 opened this issue Feb 14, 2023 · 4 comments
Assignees
@dwsteele
Labels
enhancement module [core]

Comments

@gricey432
Copy link

If an error response is returned from the STS AssumeRoleWithWebIdentity call, the error message is largely eaten by the xml decoder and makes it difficult to debug permission issues.

pgbackrest/src/storage/s3/storage.c

Line 418 in dffc933

xmlNodeChild(

An error response from STS here results in a log like:

[ERROR: [029]: unable to load info file '/mydb/backup/db/backup.info' or '/mydb/backup/db/backup.info.copy':
FormatError: unable to find child 'AssumeRoleWithWebIdentityResult':0 in node 'ErrorResponse'
FormatError: unable to find child 'AssumeRoleWithWebIdentityResult':0 in node 'ErrorResponse'
HINT: backup.info cannot be opened and is required to perform a backup.
HINT: has a stanza-create been performed?

Could this be improved to log the AWS response in the case of an error?
@dwsteele dwsteele self-assigned this Feb 15, 2023
@dwsteele
Copy link
Member

Yeah, that's not great. However, I am unable to find any information about the error format here: https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRoleWithWebIdentity.html. Any ideas where that would be?

This is the typical response (https://docs.aws.amazon.com/AmazonS3/latest/userguide/UsingRESTError.html) but the token does not match.

@gricey432
Copy link
Author

gricey432 commented Feb 16, 2023
edited
Loading

The specific error I was debugging ended up looking like this when I sent the same request directly. Was a 400 Bad Request.

<ErrorResponse xmlns="https://sts.amazonaws.com/doc/2011-06-15/">
  <Error>
    <Type>Sender</Type>
    <Code>InvalidIdentityToken</Code>
    <Message>OpenIDConnect provider's HTTPS certificate doesn't match configured thumbprint</Message>
  </Error>
  <RequestId>2d8fc0e3-ac00-4bbe-8bff-bf57499e5de2</RequestId>
</ErrorResponse>

I can find similar response structures in the docs for other services, just not on STS, not ideal on AWS's part.

E.g. https://docs.aws.amazon.com/Route53/latest/APIReference/requests-rest-responses.html#requests-rest-error-responses

@ayeks ayeks mentioned this issue May 15, 2023
Merged
@jmvizcainoio
Copy link

We are getting the same error

ERROR: [103]: unable to find a valid repository:
       repo1: [FormatError] unable to load info file '/pgbackrest/fake-sergas-dev/archive/db/archive.info' or '/pgbackrest/fake-sergas-dev/archive/db/archive.info.copy':
       FormatError: unable to find child 'AssumeRoleWithWebIdentityResult':0 in node 'ErrorResponse'
       FormatError: unable to find child 'AssumeRoleWithWebIdentityResult':0 in node 'ErrorResponse'
       HINT: archive.info cannot be opened but is required to push/get WAL segments.
       HINT: is archive_command configured correctly in postgresql.conf?
       HINT: has a stanza-create been performed?
       HINT: use --no-archive-check to disable archive checks during backup if you have an alternate archiving scheme.

The bucket exist but i can't to know witch error is. Any ideia ?

Thanks

@dwsteele
Copy link
Member

The bucket exist but i can't to know witch error is. Any ideia ?

You can try sending the request directly and examining the error message.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@dwsteele dwsteele

Labels
enhancement module [core]
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@gricey432 @dwsteele @jmvizcainoio