Friday, January 15, 2016

mysql - ec2-consistent-snapshot cannot validate provided access credentials



I'm trying to use Eric Hammond's ec2-consistent-snapshot utility on a dedicated mysql server.




I've created an IAM user and attached a power user permission policy (using the AWS console).



On a 32bit Ubuntu 10.10 ec2 instance and an XFS volume, I have installed ec2-consistent-snapshot following these instructions : http://alestic.com/mt/mt-search.cgi?blog_id=1&tag=ec2-consistent-snapshot&limit=20.



The command I launch is the following :



ec2-consistent-snapshot \ 
--freeze-filesystem /data03 \
--description "Test description $(date +'%Y-%m-%d %H:%M:%S')" \
--mysql \

--mysql-user \
--mysql-host 127.0.0.1 \
--mysql-socket /var/run/mysqld/mysqld.sock \
--debug \
vol-11111111


And the debug output is :



ec2-consistent-snapshot: Using AWS access key: AWSAccessKeyId=AKI[...]

ec2-consistent-snapshot: Thu Mar 22 10:28:53 2012: MySQL connect as
ec2-consistent-snapshot: Thu Mar 22 10:28:53 2012: MySQL flush
ec2-consistent-snapshot: Thu Mar 22 10:28:53 2012: MySQL flush & lock
ec2-consistent-snapshot: master_log_file="mysql-bin.000726", master_log_pos=106
ec2-consistent-snapshot: Thu Mar 22 10:28:53 2012: sync
ec2-consistent-snapshot: Thu Mar 22 10:28:53 2012: xfs_freeze -f /data03
ec2-consistent-snapshot: Thu Mar 22 10:28:54 2012: create EC2 object
ec2-consistent-snapshot: Thu Mar 22 10:28:54 2012: ec2-create-snapshot vol-11111111
ec2-consistent-snapshot: ERROR: AWS was not able to validate the provided access credentials
ec2-consistent-snapshot: Thu Mar 22 10:28:56 2012: xfs_freeze -u /data03

ec2-consistent-snapshot: Thu Mar 22 10:28:56 2012: MySQL unlock
ec2-consistent-snapshot: Thu Mar 22 10:28:56 2012: MySQL disconnect
ec2-consistent-snapshot: Thu Mar 22 10:28:56 2012: done


(Of course, volume id is not actually 111111111).



I tried modifying the code to be sure it was using the correct secret key, which turned out to be the right one.



I also have an evironment variable that points to /root/.awssecret




echo $AWS_CREDENTIAL_FILE
/root/.awssecret


Other things I've tried, and have produced the same results :
-Passing the credential file's path as a paramater.
-Generating new credentials and using those.
-Specifying the region as us-east-1 rather than letting it go to default.




Here is what my credentials file LOOKS like :



AWSAccessKeyId=AKI[...]
AWSSecretKey=DPh[..]


That's pretty much it, thanks for any help.


Answer



The debug output of ec2-consistent-snapshot usually reads:




'Using AWS access key: AKI[...]'


Since the output you are shown includes AWSAccessKeyId= and after a quick glance at the code (lines 470-471) - which simply reads in each line, with no further parsing:



($aws_access_key_id, $aws_secret_access_key) =
File::Slurp::read_file($aws_credentials_file);


The solution is likely to leave off the 'AWSAccessKeyId=' and 'AWSSecretKey=' prefixes in your credentials file. Your credentials file should, therefore, resemble:




AKI[...]
DPh[...]


As per the script's documentation, the file should contain the Amazon AWS access key and secret access key on seprate lines and in that order. Additionally, the script reads the $AWS_CREDENTIALS environment variable.



You could also try to pass the authentication parameters directly to the script, using the --aws-access-key-id and --aws-secret-access-key parameters.


No comments:

Post a Comment

linux - How to SSH to ec2 instance in VPC private subnet via NAT server

I have created a VPC in aws with a public subnet and a private subnet. The private subnet does not have direct access to external network. S...