Error when refreshing credentials Cognito Identity - node.js

I am trying to authenticate a cognito user pool user in node, but I am running into an error (404) when refreshing the credentials. I try authenticating with cognitoUser.authenticateUser. That is successful, and inside the onSuccess, I create credentials with AWS.CognitoIdentityCredentials and get the following
CognitoIdentityCredentials {
expired: true,
expireTime: null,
accessKeyId: undefined,
sessionToken: undefined,
params:
{ IdentityPoolId: '...',
Logins:
{ 'cognito...': '...' } },
data: null,
_identityId: null,
_clientConfig: {} }
So I try refreshing the credentials with AWS.config.credentials.refresh but I get this error
{ UnknownError: Not Found
at Request.extractError (/Users/.../projects/nodekb/node_modules/aws-sdk/lib/protocol/json.js:48:27)
at Request.callListeners (/Users/.../projects/nodekb/node_modules/aws-sdk/lib/sequential_executor.js:105:20)
at Request.emit (/Users/.../projects/nodekb/node_modules/aws-sdk/lib/sequential_executor.js:77:10)
at Request.emit (/Users/.../projects/nodekb/node_modules/aws-sdk/lib/request.js:683:14)
at Request.transition (/Users/.../projects/nodekb/node_modules/aws-sdk/lib/request.js:22:10)
at AcceptorStateMachine.runTo (/Users/.../projects/nodekb/node_modules/aws-sdk/lib/state_machine.js:14:12)
at /Users/.../projects/nodekb/node_modules/aws-sdk/lib/state_machine.js:26:10
at Request.<anonymous> (/Users/.../projects/nodekb/node_modules/aws-sdk/lib/request.js:38:9)
at Request.<anonymous> (/Users/.../projects/nodekb/node_modules/aws-sdk/lib/request.js:685:12)
at Request.callListeners (/Users/.../projects/nodekb/node_modules/aws-sdk/lib/sequential_executor.js:115:18)
message: 'Not Found',
code: 'UnknownError',
statusCode: 404,
time: 2018-02-21T19:03:29.670Z,
requestId: '...',
retryable: false,
retryDelay: 81.76059666489807 }
Note: these are the two libraries I have required
const AWS = require('aws-sdk');
const AWSCognito = require('amazon-cognito-identity-js');
and I'm following the instructions here. Specifically use case 4

I believe my issue was that my endpoint was set to dynamo. After I changed the endpoint in the AWS configuration, I got another error

I had the same problem, runnining in node, the endpoint was by default set also to dynamodb endpoint. After reseting it (I changed it to undefined), the credentials were refreshed.

( < AWS.CognitoIdentityCredentials > AWS.config.credentials).refresh((error) => {});

Related

How to use MFA in Javascript aws-sdk?

I have an infrastructure where AWS login happens on a Role basis requires MFA from MS authenticator which pops up on Mobile device for Accept or Decline. Normally on CLI, we use saml2aws and it generates temporary access key secret key with assume role.
I am trying to use aws-sdk in my nodejs and trying to validate the credentials but not getting any popup and gets below error.
Please suggest the method or way to achieve this.
const AWS = require('aws-sdk');
var eks = new AWS.EKS({ accessKeyId: "ABCDEFGHIJKLMNOPQRSTUVWXYZ", secretAccessKey : "gsdhjfkjbkbfvfkqbvfhvqhfvqhfv", region: "us-west-2"});
var params = { name: "testing" };
eks.describeCluster(params, function(err, data) {
if (err) console.log(err, err.stack); // an error occurred
else console.log(data); // successful response
});
After executing the above code: I am receiving the below error:
UnrecognizedClientException: The security token included in the request is invalid.
at Object.extractError (D:\Prashant\kubernetes-app\node_modules\aws-sdk\lib\protocol\json.js:52:27)
at Request.extractError (D:\Prashant\kubernetes-app\node_modules\aws-sdk\lib\protocol\rest_json.js:55:8)
at Request.callListeners (D:\Prashant\kubernetes-app\node_modules\aws-sdk\lib\sequential_executor.js:106:20)
at Request.emit (D:\Prashant\kubernetes-app\node_modules\aws-sdk\lib\sequential_executor.js:78:10)
at Request.emit (D:\Prashant\kubernetes-app\node_modules\aws-sdk\lib\request.js:688:14)
at Request.transition (D:\Prashant\kubernetes-app\node_modules\aws-sdk\lib\request.js:22:10)
at AcceptorStateMachine.runTo (D:\Prashant\kubernetes-app\node_modules\aws-sdk\lib\state_machine.js:14:12)
at D:\Prashant\kubernetes-app\node_modules\aws-sdk\lib\state_machine.js:26:10
at Request.<anonymous> (D:\Prashant\kubernetes-app\node_modules\aws-sdk\lib\request.js:38:9)
at Request.<anonymous> (D:\Prashant\kubernetes-app\node_modules\aws-sdk\lib\request.js:690:12) {
code: 'UnrecognizedClientException',
time: 2020-11-03T22:36:19.516Z,
requestId: '2e3486d0-3219-410c-8963-970958c5c14d',
statusCode: 403,
retryable: false,
retryDelay: 91.55836550904752
}
This request is completed. Was a bit tricky but done. Comment if anyone else facing the issue will let you know the solution.

dynamodb TransactWriteItems error: An unknown operation was requested

I'm trying to update multiple items using TransactWriteItems, But I have got the following error:
{
UnknownOperationException: An unknown operation was requested.
at Request.extractError (project-dir\node_modules\aws-sdk\lib\protocol\json.js:51:27)
at Request.callListeners (project-dir\node_modules\aws-sdk\lib\sequential_executor.js:106:20)
at Request.emit (project-dir\node_modules\aws-sdk\lib\sequential_executor.js:78:10)
at Request.emit (project-dir\node_modules\aws-sdk\lib\request.js:683:14)
at Request.transition (project-dir\node_modules\aws-sdk\lib\request.js:22:10)
at AcceptorStateMachine.runTo (project-dir\node_modules\aws-sdk\lib\state_machine.js:14:12)
at project-dir\node_modules\aws-sdk\lib\state_machine.js:26:10
at Request.<anonymous> (project-dir\node_modules\aws-sdk\lib\request.js:38:9)
at Request.<anonymous> (project-dir\node_modules\aws-sdk\lib\request.js:685:12)
at Request.callListeners (project-dir\node_modules\aws-sdk\lib\sequential_executor.js:116:18)
message: 'An unknown operation was requested.',
code: 'UnknownOperationException',
time: 2019-06-21T18:28:46.776Z,
requestId: '',
statusCode: 400,
retryable: false,
retryDelay: 17.98291928629798
}
My Code is given below:
const dynamodb = new aws.DynamoDB({ endpoint: "http://localhost:8000" });
const result = await dynamodb
.transactWriteItems({
TransactItems: [{
"Update":{
"TableName":"dbTable1",
"Key":{
"id": { "S":"table-primary-key-id-01" }
},
"ConditionExpression": "#id = :id",
"UpdateExpression":"set #orderNo = :orderNo",
"ExpressionAttributeNames": {
"#id": "id",
"#orderNo":"orderNo"
},
"ExpressionAttributeValues":{
":id":{"S":"table-primary-key-id-01"},
":orderNo":{"N":"9"}
}
}
}]
})
.promise();
Any help would be very much appreciable. Thanks in advance.
I see you are running the TransactWriteItems operation on a local dynamodb instance. Unfortunately AWS has not implemented support for Transactions API call for dynamodb local instances.

AWS SDK and NODE JS --> UnknownEndpoint

I have followed this guide: https://docs.aws.amazon.com/sdk-for-javascript/v2/developer-guide/ec2-example-creating-an-instance.html
When I run the code below - I get the UnknowEndPoint error.
I have created an AWS IAM user and added the user to a group with the policy name "IAMFullAccess" - I don't know which other policy would fit (I can see in the AWS dashboard that my credentials has been used programmatically - So I guess this part works well...)?
I have placed my credentials in the .aws folder in a file named credentials.
I am not sure what actually to put inside the 'KeyName' below - currently I have entered the Key Pair Name I find by clicking on one of my existing AWS EC2 instances in the dashboard. Is this correct?
Is there some security group or similar I need to edit - to able to connect NodeJS to my AWS account? Otherwise I have no clue what to do?
In start.js file:
process.env.AWS_SDK_LOAD_CONFIG=1;
var AWS_SDK = require('./aws_sdk');
var aws_sdk = new AWS_SDK();
aws_sdk.CopyInstance();
In aws_sdk.js file:
function AWS_SDK() {
this.CopyInstance = function() {
try {
// Load the AWS SDK for Node.js
var AWS = require('aws-sdk');
//Set the region
AWS.config.update({region: 'us-east-2a'});
var instanceParams = {
ImageId: 'ami-0...',
InstanceType: 't1.micro',
KeyName: '<Key_name>',
MinCount: 1,
MaxCount: 1
};
// Create a promise on an EC2 service object
var instancePromise = new AWS.EC2({apiVersion: '2016-11-15'}).runInstances(instanceParams).promise();
// Handle promise's fulfilled/rejected states
instancePromise.then(
function (data) {
console.log(data);
var instanceId = data.Instances[0].InstanceId;
console.log("Created instance", instanceId);
// Add tags to the instance
var tagParams = {
Resources: [instanceId], Tags: [
{
Key: 'Name',
Value: 'SDK Sample'
}
]
};
// Create a promise on an EC2 service object
var tagPromise = new AWS.EC2({apiVersion: '2016-11-15'}).createTags(tagParams).promise();
// Handle promise's fulfilled/rejected states
tagPromise.then(
function (data) {
console.log("Instance tagged");
}).catch(
function (err) {
console.error(err, err.stack);
});
}).catch(
function (err) {
console.error(err, err.stack);
});
}
catch(e){
wl.info('Error: ' + e);
}
}
function create() {
if(globalAWS === null)
globalAWS = new AWS_SDK();
return globalAWS;
}
module.exports = create;
ERROR:
{ UnknownEndpoint: Inaccessible host: ec2.us-east-2a.amazonaws.com'.
This service may not be available in theus-east-2a' region.
at Request.ENOTFOUND_ERROR (D:\Workspace\BitBucket\Test\node_modules\aws-sdk\lib\event_listeners.js:486:46)
at Request.callListeners (D:\Workspace\BitBucket\Test\node_modules\aws-sdk\lib\sequential_executor.js:106:20)
at Request.emit (D:\Workspace\BitBucket\Test\node_modules\aws-sdk\lib\sequential_executor.js:78:10)
at Request.emit (D:\Workspace\BitBucket\Test\node_modules\aws-sdk\lib\request.js:683:14)
at ClientRequest.error (D:\Workspace\BitBucket\Test\node_modules\aws-sdk\lib\event_listeners.js:325:22)
at ClientRequest. (D:\Workspace\BitBucket\Test\node_modules\aws-sdk\lib\http\node.js:93:19)
at ClientRequest.emit (events.js:182:13)
at ClientRequest.EventEmitter.emit (domain.js:442:20)
at TLSSocket.socketErrorListener (_http_client.js:391:9)
at TLSSocket.emit (events.js:182:13) message: 'Inaccessible host: ec2.us-east-2a.amazonaws.com\'. This service may not be
available in theus-east-2a\' region.', code: 'UnknownEndpoint',
region: 'us-east-2a', hostname: 'ec2.us-east-2a.amazonaws.com',
retryable: true, originalError: { Error: getaddrinfo ENOTFOUND
ec2.us-east-2a.amazonaws.com ec2.us-east-2a.amazonaws.com:443
at GetAddrInfoReqWrap.onlookup [as oncomplete] (dns.js:57:26)
message:
'getaddrinfo ENOTFOUND ec2.us-east-2a.amazonaws.com ec2.us-east-2a.amazonaws.com:443',
errno: 'ENOTFOUND',
code: 'NetworkingError',
syscall: 'getaddrinfo',
hostname: 'ec2.us-east-2a.amazonaws.com',
host: 'ec2.us-east-2a.amazonaws.com',
port: 443,
region: 'us-east-2a',
retryable: true,
time: 2019-01-14T20:03:42.177Z }, time: 2019-01-14T20:03:42.177Z } 'UnknownEndpoint: Inaccessible host:
ec2.us-east-2a.amazonaws.com\'. This service may not be available in
theus-east-2a\' region.\n at Request.ENOTFOUND_ERROR
(D:\Workspace\BitBucket\Test\node_modules\aws-sdk\lib\event_listeners.js:486:46)\n
at Request.callListeners
(D:\Workspace\BitBucket\Test\node_modules\aws-sdk\lib\sequential_executor.js:106:20)\n
at Request.emit
(D:\Workspace\BitBucket\Test\node_modules\aws-sdk\lib\sequential_executor.js:78:10)\n
at Request.emit
(D:\Workspace\BitBucket\Test\node_modules\aws-sdk\lib\request.js:683:14)\n
at ClientRequest.error
(D:\Workspace\BitBucket\Test\node_modules\aws-sdk\lib\event_listeners.js:325:22)\n
at ClientRequest.
(D:\Workspace\BitBucket\Test\node_modules\aws-sdk\lib\http\node.js:93:19)\n
at ClientRequest.emit (events.js:182:13)\n at
ClientRequest.EventEmitter.emit (domain.js:442:20)\n at
TLSSocket.socketErrorListener (_http_client.js:391:9)\n at
TLSSocket.emit (events.js:182:13)'
Process finished with exit code 0
If I change the REGION to "us-east-2" (delete the 'a' at the end) the error changes to this:
{ Unsupported: The requested configuration is currently not supported. Please check the documentation for supported configurations.
at Request.extractError (D:\Workspace\BitBucket\Test\node_modules\aws-sdk\lib\services\ec2.js:50:35)
at Request.callListeners (D:\Workspace\BitBucket\Test\node_modules\aws-sdk\lib\sequential_executor.js:106:20)
at Request.emit (D:\Workspace\BitBucket\Test\node_modules\aws-sdk\lib\sequential_executor.js:78:10)
at Request.emit (D:\Workspace\BitBucket\Test\node_modules\aws-sdk\lib\request.js:683:14)
at Request.transition (D:\Workspace\BitBucket\Test\node_modules\aws-sdk\lib\request.js:22:10)
at AcceptorStateMachine.runTo (D:\Workspace\BitBucket\Test\node_modules\aws-sdk\lib\state_machine.js:14:12)
at D:\Workspace\BitBucket\Test\node_modules\aws-sdk\lib\state_machine.js:26:10
at Request.<anonymous> (D:\Workspace\BitBucket\Test\node_modules\aws-sdk\lib\request.js:38:9)
at Request.<anonymous> (D:\Workspace\BitBucket\Test\node_modules\aws-sdk\lib\request.js:685:12)
at Request.callListeners (D:\Workspace\BitBucket\Test\node_modules\aws-sdk\lib\sequential_executor.js:116:18)
message:
'The requested configuration is currently not supported. Please check the documentation for supported configurations.',
code: 'Unsupported',
time: 2019-01-14T20:31:55.954Z,
requestId: '815a44e2-5d0d-453e-a4ff-6faac2695064',
statusCode: 400,
retryable: false,
retryDelay: 51.269952198296934 } 'Unsupported: The requested configuration is currently not supported. Please check the documentation for supported configurations.\n at Request.extractError (D:\\Workspace\\BitBucket\\Test\\node_modules\\aws-sdk\\lib\\services\\ec2.js:50:35)\n at Request.callListeners (D:\\Workspace\\BitBucket\\Test\\node_modules\\aws-sdk\\lib\\sequential_executor.js:106:20)\n at Request.emit (D:\\Workspace\\BitBucket\\Test\\node_modules\\aws-sdk\\lib\\sequential_executor.js:78:10)\n at Request.emit (D:\\Workspace\\BitBucket\\Test\\node_modules\\aws-sdk\\lib\\request.js:683:14)\n at Request.transition (D:\\Workspace\\BitBucket\\Test\\node_modules\\aws-sdk\\lib\\request.js:22:10)\n at AcceptorStateMachine.runTo (D:\\Workspace\\BitBucket\\Test\\node_modules\\aws-sdk\\lib\\state_machine.js:14:12)\n at D:\\Workspace\\BitBucket\\Test\\node_modules\\aws-sdk\\lib\\state_machine.js:26:10\n at Request.<anonymous> (D:\\Workspace\\BitBucket\\Test\\node_modules\\aws-sdk\\lib\\request.js:38:9)\n at Request.<anonymous> (D:\\Workspace\\BitBucket\\Test\\node_modules\\aws-sdk\\lib\\request.js:685:12)\n at Request.callListeners (D:\\Workspace\\BitBucket\\Test\\node_modules\\aws-sdk\\lib\\sequential_executor.js:116:18)'
Update 1:
I changed the REGION from to 'us-est-2' and now also updated my ~/.aws/config file (before the file only contained 1 line/row: 'region=us-west-2'):
[default]
region=us-west-2
output=json
Now I get this error (when I try to decode it in the CMD) - I still don't understand what extra roles I have to give/grant my IAM-AWS user to be able read the error message?
An error occurred (AccessDenied) when calling the DecodeAuthorizationMessage operation: User: arn:aws:iam::0046xxxxxxx:user/user_name is not authorized to perform: sts:DecodeAuthorizationMessage
You have configured your AWS region as us-east-2a. That isn't a region, that is an availability zone. Your region should be configured as us-east-2.
After I added the IAM role: "AdministratorAccess" all issues were gone :) The question is now - which role(s) are actually needed to be granted for it to work..."AdministratorAccess" was just for testing purpose.

AWS S3 parse URI error with docker containers

On my local environment, I develop a file upload feature with a express/node backend and an AWS S3 server (using scality/S3). Both services are dockerized in their own container, and the communication works fine.
My problem is that the S3 server seems not to understand the upload request. Here is the code I try to use :
const s3 = new S3({
accessKeyId: 'accessKey1',
secretAccessKey: 'verySecretKey1',
endpoint: 's3server:8000',
sslEnabled: false,
s3ForcePathStyle: true,
});
function uploadFile(file) {
const params = {
Body: file,
Bucket: 'testbucket',
Key: 'testkey',
ACL: 'public-read',
};
s3.upload(params, (err, data) => {
if (err) console.log(err, err.stack); // an error occurred
else console.log(data); // successful response
});
}
The S3 server receives the request but send back the error:
{"name":"S3","clientIP":"::ffff:172.18.0.5","clientPort":45066,"httpMethod":"PUT","httpURL":"/testbucket/testkey","time":1502458550488,"req_id":"7f4fac280644b5cf203c","level":"info","message":"received request","hostname":"faf8cb0b47d4","pid":103}
{"name":"S3","bytesSent":192,"clientIP":"::ffff:172.18.0.5","clientPort":45066,"httpMethod":"PUT","httpURL":"/testbucket/testkey","httpCode":400,"time":1502458550491,"req_id":"7f4fac280644b5cf203c","elapsed_ms":2.607924,"level":"info","message":"responded with error XML","hostname":"faf8cb0b47d4","pid":103}
And the node backend logs the error:
{ InvalidURI: Couldn't parse the specified URI.
at Request.extractError (/usr/src/api/node_modules/aws-sdk/lib/services/s3.js:577:35)
at Request.callListeners (/usr/src/api/node_modules/aws-sdk/lib/sequential_executor.js:105:20)
at Request.emit (/usr/src/api/node_modules/aws-sdk/lib/sequential_executor.js:77:10)
at Request.emit (/usr/src/api/node_modules/aws-sdk/lib/request.js:683:14)
at Request.transition (/usr/src/api/node_modules/aws-sdk/lib/request.js:22:10)
at AcceptorStateMachine.runTo (/usr/src/api/node_modules/aws-sdk/lib/state_machine.js:14:12)
at /usr/src/api/node_modules/aws-sdk/lib/state_machine.js:26:10
at Request.<anonymous> (/usr/src/api/node_modules/aws-sdk/lib/request.js:38:9)
at Request.<anonymous> (/usr/src/api/node_modules/aws-sdk/lib/request.js:685:12)
at Request.callListeners (/usr/src/api/node_modules/aws-sdk/lib/sequential_executor.js:115:18)
at Request.emit (/usr/src/api/node_modules/aws-sdk/lib/sequential_executor.js:77:10)
at Request.emit (/usr/src/api/node_modules/aws-sdk/lib/request.js:683:14)
at Request.transition (/usr/src/api/node_modules/aws-sdk/lib/request.js:22:10)
at AcceptorStateMachine.runTo (/usr/src/api/node_modules/aws-sdk/lib/state_machine.js:14:12)
at /usr/src/api/node_modules/aws-sdk/lib/state_machine.js:26:10
at Request.<anonymous> (/usr/src/api/node_modules/aws-sdk/lib/request.js:38:9)
message: 'Couldn\'t parse the specified URI.',
code: 'InvalidURI',
region: null,
time: 2017-08-11T13:35:50.510Z,
requestId: '7f4fac280644b5cf203c',
extendedRequestId: '7f4fac280644b5cf203c',
cfId: undefined,
statusCode: 400,
retryable: false,
retryDelay: 57.08331622136704 }
I saw some answers about utf-8 encoding problems but it didn't work on my case :/
Does anyone has an idea about why it can't parse the URI ?
Thank you for your time !
You can fix this by providing your own config.json using volumes, as suggested here.
Copy config.json.
Add "s3server": "us-east-1", to "restEndpoints".
docker run -v $(pwd)/config.json:/usr/src/app/config.json ...
or if you're using docker compose, add something like the following to your docker-compose.yaml:
s3server:
image: scality/s3server
restart: always
expose: [8000]
stdin_open: true
tty: true
container_name: s3server
volumes:
- "${PWD}/s3config.json:/usr/src/app/config.json"

AWS SNS publish 404 error

I have a lambda function where I am trying to publish a message to SNS topic:
Here is the code:
var params = {
Message: origmessage,
Subject: "Retrying posting URL",
TopicArn: "arn:aws:sns:us-west-2:<acctid>:SampleTopic"
};
sns.publish(params, function(err, data) {
if (err) {
console.log("SNS publish error")
console.log(err, err.stack)
console.log(data, data)
console.log("RETRY PARAMS:" + params);
context.fail(err);
}
});
SNS publish error is cryptic as I am unable to find the root cause. Appreciate if someone can help me show a way to debug this.
Here is the error:
2017-01-19T00:41:13.947Z d440064d-dddf-11e6-abad-8de6d2739d36 {
[404: null]
message: null,
code: 404,
time: Thu Jan 19 2017 00:41:13 GMT+0000 (UTC),
requestId: '0ENTKJ09RT82VE0SFEUJKT75NVVV4KQNSO5AEMVJF66Q9ASUAAJG',
statusCode: 404,
retryable: false,
retryDelay: 26.97333029936999
}
'404: null
at Request.extractError (/var/task/node_modules/aws-sdk/lib/protocol/query.js:45:29)
at Request.callListeners (/var/task/node_modules/aws-sdk/lib/sequential_executor.js:105:20)
at Request.emit (/var/task/node_modules/aws-sdk/lib/sequential_executor.js:77:10)
at Request.emit (/var/task/node_modules/aws-sdk/lib/request.js:668:14)
at Request.transition (/var/task/node_modules/aws-sdk/lib/request.js:22:10)
at AcceptorStateMachine.runTo (/var/task/node_modules/aws-sdk/lib/state_machine.js:14:12)
at /var/task/node_modules/aws-sdk/lib/state_machine.js:26:10
at Request.<anonymous> (/var/task/node_modules/aws-sdk/lib/request.js:38:9)
at Request.<anonymous> (/var/task/node_modules/aws-sdk/lib/request.js:670:12)
at Request.callListeners (/var/task/node_modules/aws-sdk/lib/sequential_executor.js:115:18)'
As per your comments, when you use AWS.config.update, it affects all services.
By setting the endpoint parameter to the dynamodb endpoint, you are setting that endpoint for all services, including SNS.
This is an offending example where it says to specify the endpoint for dynamodb:
http://docs.aws.amazon.com/amazondynamodb/latest/gettingstartedguide/GettingStarted.NodeJs.Summary.html
Instead, the endpoint should be taken out of AWS.config.update and somehow specified in each service's constructor.
Matt - That was it. Dynamodb config was what was causing this issue. Appreciate all your help.
Thanks

Resources