Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Cannot access Cost Explorer after creating a new user #3000

Closed
1 task
nexxai opened this issue Sep 18, 2024 · 2 comments
Closed
1 task

Cannot access Cost Explorer after creating a new user #3000

nexxai opened this issue Sep 18, 2024 · 2 comments
Labels
bug This issue is a bug. needs-triage This issue or PR still needs to be triaged.

Comments

@nexxai
Copy link

nexxai commented Sep 18, 2024
edited
Loading

Describe the bug

Ok, I am sure I'm doing something wrong here (user error vs. system error) but I am losing my mind and can't figure out where else to look.

The flow I'm trying to achieve is:

  1. Given a root access key / secret key:
  2. Create a policy that gives access to CostExplorer
  3. Create a user that only has this role attached to it
  4. Fetch and store the access key and secret key for this new user and discard the root credentials
  5. Using the new restricted account, access Cost Explorer and do things

This is the User policy I am attempting to attach:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "ce:GetAnomalyMonitors",
                "ce:GetAnomalySubscriptions",
                "ce:CreateAnomalyMonitor",
                "ce:CreateAnomalySubscription",
                "ce:UpdateAnomalyMonitor",
                "ce:UpdateAnomalySubscription",
                "ce:DeleteAnomalyMonitor",
                "ce:DeleteAnomalySubscription",
                "ce:ListAnomalyMonitors",
                "ce:ListAnomalySubscriptions"
            ],
            "Resource": "*"
        }
    ]
}

Regression Issue

  • Select this option if this issue appears to be a regression.

Expected Behavior

To be able to create a new CostExplorerClient instance and access the various CostExplorer methods using the newly created user account.

Current Behavior

It creates the user account and role fine, attaches the policy to them, and then pukes when it tries to actually do the thing.

Error executing "GetAnomalyMonitors" on "https://ce.us-east-1.amazonaws.com"; AWS HTTP error: Client error: `POST https://ce.us-east-1.amazonaws.com` resulted in a `400 Bad Request` response:
{"__type":"UnrecognizedClientException","message":"The security token included in the request is invalid."}
 UnrecognizedClientException (client): The security token included in the request is invalid. - {"__type":"UnrecognizedClientException","message":"The security token included in the request is invalid."}

I understand that some services need tokens from STS but if I try to add an intermediary step of going to STS to assumeRole and get the keys, I get the same error, which makes even less sense (why would you need a token to fetch a token)?

I was concerned that maybe I have some cached token data somewhere (e.g. ~/.aws/credentials or in my current environment variables) but I made absolutely sure to clear those out (delete the file entirely, and unset those VARs).

I ran the CostExplorerClient in debug mode to make sure there wasn't a bad token being detected somewhere else and being injected, but nothing showed up there either.

I know I'm doing something wrong but I don't know where else to look.

Reproduction Steps

$iam_client = new IamClient([
    'region' => 'us-east-1',
    'version' => 'latest',
    'credentials' => [
        'key' => $access_key,
        'secret' => $secret_key,
    ],
]);

$policy = [
    'Description' => 'New App User policy',
    'Path' => '/',
    'PolicyDocument' => $USER_POLICY,    // The one shown above
    'PolicyName' => 'NewAppPolicy',
];

$user = [
    'UserName' => 'NewAppUser',
    'Path' => '/',
];

$created_user = $iam_client->createUser($user);

$created_policy = $iam_client->createPolicy($policy);

$iam_client->attachUserPolicy([
    'PolicyArn' => $policy_arn,
    'UserName' => $created_user['User']['UserName'],
]);

$keys = $iam_client->createAccessKey([
    'UserName' => 'NewAppUser',
    'Status' => 'Active',
]);

$new_access_key = $keys['AccessKey']['AccessKeyId'];
$new_secret_key = $keys['AccessKey']['SecretAccessKey'];

$cost_client = new CostExplorerClient([
    'region' => 'us-east-1',
    'version' => 'latest',
    'credentials' => [
        'key' => $new_access_key,
        'secret' => $new_secret_key,
    ],
    'use_aws_shared_config_files' => false,
]);

$cost_client->getAnomalyMonitors();

Possible Solution

At this point, I'm at a loss

Additional Information/Context

No response

SDK version used

3.321.13

Environment details (Version of PHP (php -v)? OS name and version, etc.)

PHP 8.3.11 (cli) (built: Sep 10 2024 15:12:42) (NTS), macOS
@nexxai nexxai added bug This issue is a bug. needs-triage This issue or PR still needs to be triaged. labels Sep 18, 2024
@nexxai nexxai changed the title Cannot get a token from STS Cannot access Cost Explorer after creating a new user Sep 18, 2024
@nexxai
Copy link
Author

nexxai commented Sep 18, 2024

I ended up completely redoing everything and even though I'm pretty sure I followed the exact same flow, it all works now so I'm going to close this.

@nexxai nexxai closed this as completed Sep 18, 2024
@github-actions GitHub Actions
Copy link

This issue is now closed. Comments on closed issues are hard for our team to see.
If you need more assistance, please open a new issue that references this one.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug This issue is a bug. needs-triage This issue or PR still needs to be triaged.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@nexxai