Hey CQ Team!
I’m asking about an old version of AWS source: v22.5.1.
This might be a specific AWS configuration, but maybe someone can help.
I’m running CloudQuery locally on 2 AWS accounts. Before each run, I do export with different environment variables for AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, and AWS_SESSION_TOKEN relevant for each account.
In one account, the sync is fine. On the other account, I see the following error:
failed to sync v3 source my_source: rpc error: code = Internal desc = failed to init plugin: failed to initialize client: operation error STS: GetCallerIdentity, https response error StatusCode: 403, RequestID: aa8d8669-5d23-4f37-983e-801c18bae6f2, api error InvalidClientTokenId: The security token included in the request is invalid
Can anyone point me to what might be the problem?
BTW - when running with the problematic account and the same environment variables using the AWS CLI command aws sts get-caller-identity, the request is okay and there is no problem.
This happens every time on this specific account. I don’t think it’s possible that the Session Token had expired as I generated it a moment before running the sync. And as I said, when running the AWS CLI command
aws sts get-caller-identity
it succeeds with no error. Might be some kind of configuration on this AWS Account? But it’s weird as the AWS CLI command does succeed
I don’t have access to this account; I only have a role which I assume and create this Session Token.
UPDATE:
I upgraded to the latest CQ CLI and latest AWS Source plugin - still the same problem.
UPDATE 2:
I found out that when CQ performs the STS:GetCallerIdentity on Account2 it uses the region af-south-1 as it is enabled (and first in the sorting), and for Account1, it uses a different region. Now my problem is figuring out why I can’t communicate with this region…
During initialization, we call GetCallerIdentity to understand which partition you are running in. We assume that we can call GetCallerIdentity from any of the valid regions that are being synced. I am assuming you are not specifying a list of regions to sync or are using regions: ["*"].
To avoid making the call to af-south-1, I would suggest specifying the exact list of regions you want to sync from.
Hey!
I just figured it out!
CQ tries to GetCallerIdentity on region af-south-1 but fails because in my account (the one that was used to generate the token), this region was disabled.
After enabling it - it works!
