Kindly add permission troubleshooting tips #124
Description
Hello! It would be awesome if the Readme could be extended with troubleshooting tips for permissions. I will provide two examples where I lost quite a while due to this.
Example 1: Bad keys
I have reused existing aws creds setup we had already for ECR
aws-credentials: &aws-credentials
aws_access_key_id: ((dev-access-key))
aws_secret_access_key: ((dev-secret-key))
aws_session_token: ((dev-session-token))
region_name: "eu-west-1"
# ...
- name: builds-bucket
type: s3
source:
bucket: my-bucket
<<: *aws-credentials
# ...not noticing that S3 uses different keys. While get succeeded, put failed with
AccessDenied: Anonymous users cannot initiate multipart uploads. Please authenticate. status code: 403
Example 2: Missing token due to a typo
I fixed the keys but made a typo, forgetting a ):
aws-credentials-s3: &aws-credentials-s3
access_key_id: ((dev-access-key))
secret_access_key: ((dev-secret-key))
session_token: ((dev-session-token) # <----
region_name: "eu-west-1"Not it failed with clear but for my puzzling
InvalidToken: The provided token is malformed or otherwise invalid. status code: 400
What would have helped me
I can fly -t myteam hijack -job=mypipeline/myjob and enter the S3 Docker for put but what next?
- How can I see what credentials were supplied to the task? (in Don't hardcode AWS region #1 those would be empty, in Support S3 compatible / custom endpoint URL? #2 token would be
((dev-session-token)instead of the expected value) I do not have them since they come from Concourse variables (which I could likely look up in AWS Secrets Manager or where we have them), moreover I also need to see that they were passed correctly to the S3 resource - How can I manually check whether access to the bucket is allowed? I guess I could issue a few commands (which?) to install
awscliand use that manually to try to upload - but again I'd need the credentials
Thank you!!!