Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

AWS InvalidClientTokenId Errors / Error: Skipping disabled region.. #10

Open
Mike-OSPN opened this issue Aug 4, 2021 · 2 comments
Open

AWS InvalidClientTokenId Errors / Error: Skipping disabled region.. #10

Mike-OSPN opened this issue Aug 4, 2021 · 2 comments
Labels
invalid This doesn't seem right

Comments

@Mike-OSPN
Copy link

Mike-OSPN commented Aug 4, 2021
edited
Loading

Hi
I'm seeing the errors
Error: Skipping disabled region eu-west-2... (for any region)
and
/var/lib/gems/2.7.0/gems/aws-sdk-core-3.117.0/lib/seahorse/client/plugins/raise_response_errors.rb:17:in `call': The security token included in the request is invalid. (Aws::IAM::Errors::InvalidClientTokenId)
(entire output below)

  1. Where/how can I enable/disable regions?
  2. Regarding InvalidClientTokenId: I'm running the script two IAM users (one in the root/Cloudtrain account, one in the Lamba/"to bes scanned" account). Both IAM users have AdministratorAccess.

my .aws/credentials file looks like this:

[account_to_be_scanned]
aws_access_key_id = **to-be-scanned-account
aws_secret_access_key = ***to-be-scanned-account
region = eu-west-1

[root_account]
aws_access_key_id = ***root-account
aws_secret_access_key = ***root-account
region = eu-west-1

I'm exporting these variables:

export REGION=eu-west-1
export CSV_PATH="myexport.csv"
export BUCKET=my-cloudtrail-bucket
export BUCKET_REGION=eu-west-1
export SCAN_PROFILE=account_to_be_scanned
export LAMBDA_PROFILE=root_account
export LAMBDA_REGION=eu-west-1
export ACCESS_KEY_ID="*****to-be-scanned-account***"
export SECRET_ACCESS_KEY="******to-be-scanned-account***"

then invoking the script:

./retro_tag.rb \
  --csv "$CSV_PATH" \
  --bucket $BUCKET \
  --bucket-region $BUCKET_REGION \
  --scan-profile "$SCAN_PROFILE" \
  --lambda-profile "$LAMBDA_PROFILE" \
  --lambda-region $LAMBDA_REGION \
  --scan-access-key-id=ACCESS_KEY_ID \
  --scan-secret-access-key=SECRET_ACCESS_KEY

(note: without the last two options, its not running at all)

Here the entire output:

Importing from /home/it-services/RetroTag/retro-tag/myexport.csv (1.42 MiB)...completed in 0 seconds.
The AwsResource::VpnGateway.get_resources cache file is too old, scanning aws...
The AwsResource::VpnConnection.get_resources cache file is too old, scanning aws...
The AwsResource::VpcSubnet.get_resources cache file is too old, scanning aws...
The AwsResource::VpcRouteTable.get_resources cache file is too old, scanning aws...
The AwsResource::VpcPeering.get_resources cache file is too old, scanning aws...
The AwsResource::VpcNetworkAcl.get_resources cache file is too old, scanning aws...
The AwsResource::VpcNatGateway.get_resources cache file is too old, scanning aws...
The AwsResource::VpcInternetGateway.get_resources cache file is too old, scanning aws...
The AwsResource::VpcEni.get_resources cache file is too old, scanning aws...
The AwsResource::Vpc.get_resources cache file is too old, scanning aws...
Error: Skipping disabled region af-south-1...
Error: Skipping disabled region af-south-1...
Error: Skipping disabled region af-south-1...
Error: Skipping disabled region af-south-1...
Error: Skipping disabled region af-south-1...
Error: Skipping disabled region af-south-1...
Error: Skipping disabled region af-south-1...
Error: Skipping disabled region af-south-1...
Error: Skipping disabled region af-south-1...
Error: Skipping disabled region af-south-1...
Error: Skipping disabled region ap-east-1...
Error: Skipping disabled region ap-east-1...
Error: Skipping disabled region ap-east-1...
Error: Skipping disabled region ap-east-1...
Error: Skipping disabled region ap-east-1...
Error: Skipping disabled region ap-east-1...
Error: Skipping disabled region ap-east-1...
Error: Skipping disabled region ap-east-1...
Error: Skipping disabled region ap-east-1...
Error: Skipping disabled region ap-east-1...
Error: Skipping disabled region ap-northeast-1...
Error: Skipping disabled region ap-northeast-1...
Error: Skipping disabled region ap-northeast-1...
Error: Skipping disabled region ap-northeast-1...
Error: Skipping disabled region ap-northeast-1...
Error: Skipping disabled region ap-northeast-1...
Error: Skipping disabled region ap-northeast-1...
Error: Skipping disabled region ap-northeast-1...
Error: Skipping disabled region ap-northeast-1...
Error: Skipping disabled region ap-northeast-1...
Error: Skipping disabled region ap-northeast-2...
Error: Skipping disabled region ap-northeast-2...
Error: Skipping disabled region ap-northeast-2...
Error: Skipping disabled region ap-northeast-2...
Error: Skipping disabled region ap-northeast-2...
Error: Skipping disabled region ap-northeast-2...
Error: Skipping disabled region ap-northeast-2...
Error: Skipping disabled region ap-northeast-2...
Error: Skipping disabled region ap-northeast-2...
Error: Skipping disabled region ap-northeast-2...
Error: Skipping disabled region ap-northeast-3...
Error: Skipping disabled region ap-northeast-3...
Error: Skipping disabled region ap-northeast-3...
Error: Skipping disabled region ap-northeast-3...
Error: Skipping disabled region ap-northeast-3...
Error: Skipping disabled region ap-northeast-3...
Error: Skipping disabled region ap-northeast-3...
Error: Skipping disabled region ap-northeast-3...
Error: Skipping disabled region ap-northeast-3...
Error: Skipping disabled region ap-northeast-3...
Error: Skipping disabled region ap-south-1...
Error: Skipping disabled region ap-south-1...
Error: Skipping disabled region ap-south-1...
Error: Skipping disabled region ap-south-1...
Error: Skipping disabled region ap-south-1...
Error: Skipping disabled region ap-south-1...
Error: Skipping disabled region ap-south-1...
Error: Skipping disabled region ap-south-1...
Error: Skipping disabled region ap-south-1...
Error: Skipping disabled region ap-south-1...
Error: Skipping disabled region ap-southeast-1...
Error: Skipping disabled region ap-southeast-1...
Error: Skipping disabled region ap-southeast-1...
Error: Skipping disabled region ap-southeast-1...
Error: Skipping disabled region ap-southeast-1...
Error: Skipping disabled region ap-southeast-1...
Error: Skipping disabled region ap-southeast-1...
Error: Skipping disabled region ap-southeast-1...
Error: Skipping disabled region ap-southeast-1...
Error: Skipping disabled region ap-southeast-1...
Error: Skipping disabled region ap-southeast-2...
Error: Skipping disabled region ap-southeast-2...
Error: Skipping disabled region ap-southeast-2...
Error: Skipping disabled region ap-southeast-2...
Error: Skipping disabled region ap-southeast-2...
Error: Skipping disabled region ap-southeast-2...
Error: Skipping disabled region ap-southeast-2...
Error: Skipping disabled region ap-southeast-2...
Error: Skipping disabled region ap-southeast-2...
Error: Skipping disabled region ap-southeast-2...
Error: Skipping disabled region ca-central-1...
Error: Skipping disabled region ca-central-1...
Error: Skipping disabled region ca-central-1...
Error: Skipping disabled region ca-central-1...
Error: Skipping disabled region ca-central-1...
Error: Skipping disabled region ca-central-1...
Error: Skipping disabled region ca-central-1...
Error: Skipping disabled region ca-central-1...
Error: Skipping disabled region ca-central-1...
Error: Skipping disabled region ca-central-1...
Error: Skipping disabled region eu-central-1...
Error: Skipping disabled region eu-central-1...
Error: Skipping disabled region eu-central-1...
Error: Skipping disabled region eu-central-1...
Error: Skipping disabled region eu-central-1...
Error: Skipping disabled region eu-central-1...
Error: Skipping disabled region eu-central-1...
Error: Skipping disabled region eu-central-1...
Error: Skipping disabled region eu-central-1...
Error: Skipping disabled region eu-central-1...
Error: Skipping disabled region eu-north-1...
Error: Skipping disabled region eu-north-1...
Error: Skipping disabled region eu-north-1...
Error: Skipping disabled region eu-north-1...
Error: Skipping disabled region eu-north-1...
Error: Skipping disabled region eu-north-1...
Error: Skipping disabled region eu-north-1...
Error: Skipping disabled region eu-north-1...
Error: Skipping disabled region eu-north-1...
Error: Skipping disabled region eu-north-1...
Error: Skipping disabled region eu-south-1...
Error: Skipping disabled region eu-south-1...
Error: Skipping disabled region eu-south-1...
Error: Skipping disabled region eu-south-1...
Error: Skipping disabled region eu-south-1...
Error: Skipping disabled region eu-south-1...
Error: Skipping disabled region eu-south-1...
Error: Skipping disabled region eu-south-1...
Error: Skipping disabled region eu-south-1...
Error: Skipping disabled region eu-south-1...
Error: Skipping disabled region eu-west-1...
Error: Skipping disabled region eu-west-1...
Error: Skipping disabled region eu-west-1...
Error: Skipping disabled region eu-west-1...
Error: Skipping disabled region eu-west-1...
Error: Skipping disabled region eu-west-1...
Error: Skipping disabled region eu-west-1...
Error: Skipping disabled region eu-west-1...
Error: Skipping disabled region eu-west-1...
Error: Skipping disabled region eu-west-1...
Error: Skipping disabled region eu-west-2...
Error: Skipping disabled region eu-west-2...
Error: Skipping disabled region eu-west-2...
Error: Skipping disabled region eu-west-2...
Error: Skipping disabled region eu-west-2...
Error: Skipping disabled region eu-west-2...
Error: Skipping disabled region eu-west-2...
Error: Skipping disabled region eu-west-2...
Error: Skipping disabled region eu-west-2...
Error: Skipping disabled region eu-west-2...
Error: Skipping disabled region eu-west-3...
Error: Skipping disabled region eu-west-3...
Error: Skipping disabled region eu-west-3...
Error: Skipping disabled region eu-west-3...
Error: Skipping disabled region eu-west-3...
Error: Skipping disabled region eu-west-3...
Error: Skipping disabled region eu-west-3...
Error: Skipping disabled region eu-west-3...
Error: Skipping disabled region eu-west-3...
Error: Skipping disabled region eu-west-3...
Error: Skipping disabled region me-south-1...
Error: Skipping disabled region me-south-1...
Error: Skipping disabled region me-south-1...
Error: Skipping disabled region me-south-1...
Error: Skipping disabled region me-south-1...
Error: Skipping disabled region me-south-1...
Error: Skipping disabled region me-south-1...
Error: Skipping disabled region me-south-1...
Error: Skipping disabled region me-south-1...
Error: Skipping disabled region me-south-1...
Error: Skipping disabled region sa-east-1...
Error: Skipping disabled region sa-east-1...
Error: Skipping disabled region sa-east-1...
Error: Skipping disabled region sa-east-1...
Error: Skipping disabled region sa-east-1...
Error: Skipping disabled region sa-east-1...
Error: Skipping disabled region sa-east-1...
Error: Skipping disabled region sa-east-1...
Error: Skipping disabled region sa-east-1...
Error: Skipping disabled region sa-east-1...
Error: Skipping disabled region us-east-1...
Error: Skipping disabled region us-east-1...
Error: Skipping disabled region us-east-1...
Error: Skipping disabled region us-east-1...
Error: Skipping disabled region us-east-1...
Error: Skipping disabled region us-east-1...
Error: Skipping disabled region us-east-1...
Error: Skipping disabled region us-east-1...
Error: Skipping disabled region us-east-1...
Error: Skipping disabled region us-east-1...
Error: Skipping disabled region us-east-2...
Error: Skipping disabled region us-east-2...
Error: Skipping disabled region us-east-2...
Error: Skipping disabled region us-east-2...
Error: Skipping disabled region us-east-2...
Error: Skipping disabled region us-east-2...
Error: Skipping disabled region us-east-2...
Error: Skipping disabled region us-east-2...
Error: Skipping disabled region us-east-2...
Error: Skipping disabled region us-east-2...
Error: Skipping disabled region us-west-1...
Error: Skipping disabled region us-west-1...
Error: Skipping disabled region us-west-1...
Error: Skipping disabled region us-west-1...
Error: Skipping disabled region us-west-1...
Error: Skipping disabled region us-west-1...
Error: Skipping disabled region us-west-1...
Error: Skipping disabled region us-west-1...
Error: Skipping disabled region us-west-1...
Error: Skipping disabled region us-west-1...
Error: Skipping disabled region us-west-2...
Total AwsResource::VpcSubnet.get_resources: 0
The AwsResource::SecurityGroup.get_resources cache file is too old, scanning aws...
Error: Skipping disabled region us-west-2...
Total AwsResource::VpcInternetGateway.get_resources: 0
The AwsResource::S3Bucket.get_resources cache file is too old, scanning aws...
Error: Skipping disabled region us-west-2...
Total AwsResource::VpnGateway.get_resources: 0
Error: Skipping disabled region us-west-2...
Total AwsResource::VpcRouteTable.get_resources: 0
Error: Skipping disabled region us-west-2...
Total AwsResource::VpnConnection.get_resources: 0
The AwsResource::LambdaFunction.get_resources cache file is too old, scanning aws...
The AwsResource::OpsWorks.get_resources cache file is too old, scanning aws...
Error: Skipping disabled region us-west-2...
Total AwsResource::VpcEni.get_resources: 0
The AwsResource::IamRole.get_resources cache file is too old, scanning aws...
The AwsResource::Rds.get_resources cache file is too old, scanning aws...
Error: Skipping disabled region us-west-2...
Total AwsResource::VpcNetworkAcl.get_resources: 0
The AwsResource::IamUser.get_resources cache file is too old, scanning aws...
Error: Skipping disabled region us-west-2...
Total AwsResource::VpcNatGateway.get_resources: 0
Error: Skipping disabled region us-west-2...
Total AwsResource::Vpc.get_resources: 0
The AwsResource::ElasticLoadBalancingV2.get_resources cache file is too old, scanning aws...
The AwsResource::ElasticMapReduce.get_resources cache file is too old, scanning aws...
Error: Skipping disabled region us-west-2...
Total AwsResource::VpcPeering.get_resources: 0
The AwsResource::ElasticLoadBalancing.get_resources cache file is too old, scanning aws...
Error: Skipping disabled region us-east-1...
Total AwsResource::S3Bucket.get_resources: 0
The AwsResource::Eip.get_resources cache file is too old, scanning aws...
#<Thread:0x000055ea66c9c358 ./retro_tag.rb:162 run> terminated with exception (report_on_exception is true):
Traceback (most recent call last):
13: from ./retro_tag.rb:168:in `block (2 levels) in

'
12: from /home/it-services/RetroTag/retro-tag/auto_tag/aws_mixin.rb:19:in `write_cache_file'
11: from /home/it-services/RetroTag/retro-tag/aws_resource/default.rb:55:in `get_resources'
10: from /home/it-services/RetroTag/retro-tag/aws_resource/default.rb:55:in `each'
9: from /home/it-services/RetroTag/retro-tag/aws_resource/default.rb:61:in `block in get_resources'
8: from /var/lib/gems/2.7.0/gems/aws-sdk-iam-1.56.0/lib/aws-sdk-iam/client.rb:8226:in `list_roles'
7: from /var/lib/gems/2.7.0/gems/aws-sdk-core-3.117.0/lib/seahorse/client/request.rb:72:in `send_request'
6: from /var/lib/gems/2.7.0/gems/aws-sdk-core-3.117.0/lib/seahorse/client/plugins/response_target.rb:24:in `call'
5: from /var/lib/gems/2.7.0/gems/aws-sdk-core-3.117.0/lib/aws-sdk-core/plugins/response_paging.rb:12:in `call'
4: from /var/lib/gems/2.7.0/gems/aws-sdk-core-3.117.0/lib/seahorse/client/plugins/request_callback.rb:71:in `call'
3: from /var/lib/gems/2.7.0/gems/aws-sdk-core-3.117.0/lib/aws-sdk-core/plugins/param_converter.rb:26:in `call'
2: from /var/lib/gems/2.7.0/gems/aws-sdk-core-3.117.0/lib/aws-sdk-core/plugins/idempotency_token.rb:19:in `call'
1: from /var/lib/gems/2.7.0/gems/aws-sdk-core-3.117.0/lib/aws-sdk-core/plugins/jsonvalue_converter.rb:22:in `call'
/var/lib/gems/2.7.0/gems/aws-sdk-core-3.117.0/lib/seahorse/client/plugins/raise_response_errors.rb:17:in `call': The security token included in the request is invalid. (Aws::IAM::Errors::InvalidClientTokenId)
#<Thread:0x000055ea66c9c038 ./retro_tag.rb:162 run> terminated with exception (report_on_exception is true):
Traceback (most recent call last):
13: from ./retro_tag.rb:168:in `block (2 levels) in '
12: from /home/it-services/RetroTag/retro-tag/auto_tag/aws_mixin.rb:19:in `write_cache_file'
11: from /home/it-services/RetroTag/retro-tag/aws_resource/default.rb:55:in `get_resources'
10: from /home/it-services/RetroTag/retro-tag/aws_resource/default.rb:55:in `each'
9: from /home/it-services/RetroTag/retro-tag/aws_resource/default.rb:61:in `block in get_resources'
8: from /var/lib/gems/2.7.0/gems/aws-sdk-iam-1.56.0/lib/aws-sdk-iam/client.rb:9044:in `list_users'
7: from /var/lib/gems/2.7.0/gems/aws-sdk-core-3.117.0/lib/seahorse/client/request.rb:72:in `send_request'
6: from /var/lib/gems/2.7.0/gems/aws-sdk-core-3.117.0/lib/seahorse/client/plugins/response_target.rb:24:in `call'
5: from /var/lib/gems/2.7.0/gems/aws-sdk-core-3.117.0/lib/aws-sdk-core/plugins/response_paging.rb:12:in `call'
4: from /var/lib/gems/2.7.0/gems/aws-sdk-core-3.117.0/lib/seahorse/client/plugins/request_callback.rb:71:in `call'
3: from /var/lib/gems/2.7.0/gems/aws-sdk-core-3.117.0/lib/aws-sdk-core/plugins/param_converter.rb:26:in `call'
2: from /var/lib/gems/2.7.0/gems/aws-sdk-core-3.117.0/lib/aws-sdk-core/plugins/idempotency_token.rb:19:in `call'
1: from /var/lib/gems/2.7.0/gems/aws-sdk-core-3.117.0/lib/aws-sdk-core/plugins/jsonvalue_converter.rb:22:in `call'
/var/lib/gems/2.7.0/gems/aws-sdk-core-3.117.0/lib/seahorse/client/plugins/raise_response_errors.rb:17:in `call': The security token included in the request is invalid. (Aws::IAM::Errors::InvalidClientTokenId)
Traceback (most recent call last):
13: from ./retro_tag.rb:168:in `block (2 levels) in '
12: from /home/it-services/RetroTag/retro-tag/auto_tag/aws_mixin.rb:19:in `write_cache_file'
11: from /home/it-services/RetroTag/retro-tag/aws_resource/default.rb:55:in `get_resources'
10: from /home/it-services/RetroTag/retro-tag/aws_resource/default.rb:55:in `each'
9: from /home/it-services/RetroTag/retro-tag/aws_resource/default.rb:61:in `block in get_resources'
8: from /var/lib/gems/2.7.0/gems/aws-sdk-iam-1.56.0/lib/aws-sdk-iam/client.rb:8226:in `list_roles'
7: from /var/lib/gems/2.7.0/gems/aws-sdk-core-3.117.0/lib/seahorse/client/request.rb:72:in `send_request'
6: from /var/lib/gems/2.7.0/gems/aws-sdk-core-3.117.0/lib/seahorse/client/plugins/response_target.rb:24:in `call'
5: from /var/lib/gems/2.7.0/gems/aws-sdk-core-3.117.0/lib/aws-sdk-core/plugins/response_paging.rb:12:in `call'
4: from /var/lib/gems/2.7.0/gems/aws-sdk-core-3.117.0/lib/seahorse/client/plugins/request_callback.rb:71:in `call'
3: from /var/lib/gems/2.7.0/gems/aws-sdk-core-3.117.0/lib/aws-sdk-core/plugins/param_converter.rb:26:in `call'
2: from /var/lib/gems/2.7.0/gems/aws-sdk-core-3.117.0/lib/aws-sdk-core/plugins/idempotency_token.rb:19:in `call'
1: from /var/lib/gems/2.7.0/gems/aws-sdk-core-3.117.0/lib/aws-sdk-core/plugins/jsonvalue_converter.rb:22:in `call'
/var/lib/gems/2.7.0/gems/aws-sdk-core-3.117.0/lib/seahorse/client/plugins/raise_response_errors.rb:17:in `call': The security token included in the request is invalid. (Aws::IAM::Errors::InvalidClientTokenId)
@ecout
Copy link

ecout commented Oct 11, 2021

Please read the AWS documentation on disabling regions, this is not related to this application but the AWS environment itself and is expected.
https://docs.aws.amazon.com/general/latest/gr/rande-manage.html

Most regions cannot be disabled, but some are disabled by default which is why you're seeing here.
Other than that, make sure you gave your scan-profile IAM user the ReadOnly AWS managed policy.

@rayjanoka
Copy link
Collaborator

It looks like your keys just weren't working, you shouldn't need the scan_access_keys if you are setting the scan_profile.

I'm not sure what you mean by it won't run without those settings...please send the failure output if that is the case so we can troubleshoot.

@rayjanoka rayjanoka added the invalid This doesn't seem right label Feb 3, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
invalid This doesn't seem right
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@rayjanoka @ecout @Mike-OSPN