AWS:尝试将指标从 EC2 推送到 CloudWatch 时出现身份验证问题
[英]AWS: Authentication issues trying to push metrics to CloudWatch from EC2
问题描述
I am trying to set up an EC2 (RHEL7) instance to push metrics to cloudwatch using perl scripts as described in http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/mon-scripts.html
我正在尝试设置一个 EC2 (RHEL7) 实例,以使用http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/mon-scripts.html 中所述的 perl 脚本将指标推送到 cloudwatch
I get an HTTP status 400 message "The security token included in the request is invalid"我收到一条 HTTP 状态 400 消息“请求中包含的安全令牌无效”
An instance profile is associated with the instance which has the following policy attached:实例配置文件与附加了以下策略的实例相关联:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"cloudwatch:PutMetricData",
"cloudwatch:GetMetricStatistics",
"cloudwatch:ListMetrics"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"ec2:DescribeTags"
],
"Resource": "*"
}
]
}
I am pulling the AWSAccessKeyId and AWSSecretKey from the instance meta-data as follows:我从实例元数据中提取AWSAccessKeyId和AWSSecretKey ,如下所示:
ROLE=$(curl http://169.254.169.254/latest/meta-data/iam/security-credentials/)
CRED=$(curl http://169.254.169.254/latest/meta-data/iam/security-credentials/$ROLE)
AWSAccessKeyId=$(sed '/AccessKeyId/!d; s/.*:\ \+"\(.\+\)",/\1/g' <<< "$CRED")
AWSSecretKey=$(sed '/SecretAccessKey/!d; s/.*:\ \+"\(.\+\)",/\1/g' <<< "$CRED")
...the values set in the above variables are correct when i check them... ...当我检查它们时,上述变量中设置的值是正确的...
I am running the script to push to cloudwatch as follows (using creds stored in variables from above):我正在运行脚本以按如下方式推送到 cloudwatch(使用存储在上面变量中的凭据):
./mon-put-instance-data.pl --mem-util --verbose --aws-access-key-id $AWSAccessKeyId --aws-secret-key $AWSSecretKey
Any ideas why it is rejecting my credentials?任何想法为什么拒绝我的凭据?
Thanks in advance提前致谢
3 个解决方案
解决方案1
0 已采纳 2017-06-29 13:59:49
If you're using an IAM profile, you don't need to put in the credentials for your script call.如果您使用的是 IAM 配置文件,则无需输入脚本调用的凭据。 Remove the access key and secret key from your call.从您的呼叫中删除访问密钥和秘密密钥。
./mon-put-instance-data.pl --mem-util --verbose
解决方案2
0 2017-06-29 15:18:10
Yes.是的。 You are both right - it automatically picks up the role creds if you dont specify and seems to work.你们都是对的 - 如果您没有指定并且似乎有效,它会自动获取角色信用。
Not sure why it doesnt work by manually setting the creds but i can look at the perl script to work this out fairly easily.不知道为什么它不能通过手动设置信用来工作,但我可以查看 perl 脚本来很容易地解决这个问题。
Thanks for your help.感谢您的帮助。
解决方案3
0 2020-02-05 14:36:53
From documentation :从文档:
The following examples assume that you provided an IAM role or awscreds.conf file.
As an option when you get an error:作为出现错误时的一个选项:
ERROR: Failed to call CloudWatch: HTTP 400. Message: The security token included in the request is invalid.
the script uses a config file (eg with wrong credentials):该脚本使用配置文件(例如,使用错误的凭据):
aws-scripts-mon/awscreds.conf
So, an IAM role or awscreds.conf or --aws* params have to be provided.因此,必须提供 IAM 角色或awscreds.conf或--aws*参数。 And the IAM role has correct permissions :并且 IAM 角色具有正确的权限:
cloudwatch:PutMetricData
cloudwatch:GetMetricStatistics
cloudwatch:ListMetrics
ec2:DescribeTags
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.