On MacOS aws-vault: error: exec: Failed to get credentials for dev: operation error STS: AssumeRole, exceeded maximum number of attempts, 3, failed to sign request: failed to retrieve credentials: operation error STS: GetSessionToken, exceeded maximum number of attempts

Question

On MacOS aws-vault: error: exec: Failed to get credentials for dev: operation error STS: AssumeRole, exceeded maximum number of attempts, 3, failed to sign request: failed to retrieve credentials: operation error STS: GetSessionToken, exceeded maximum number of attempts

kart-aiven opened this issue 2 years ago · comments

Karthick Ramalingam commented 2 years ago

I am uing aws-vault on MacOS Monterey version 12.5.1.
I setup aws-vault v6.6.0

I am using assume role with mfa configured.
I have no issues connecting using awscli.

My aws config is as below:file is as below:

[default]
region = <myregion>
output = json
mfa_serial = arn:aws:iam::<xxxx>:mfa/user
[profile dev]
role_arn = arn:aws:iam::<awsaccno>:role/devaccess
source_profile = default
mfa_serial = arn:aws:iam::<xxxx>:mfa/user

I added the profile using aws-vault add default and it asks for Accessket and secret and then I get a popup to enter the keychain password which I do and then on terminal "Added credentials to profile "default" in vault"
aws-cault list shows the two profiles
Profile Credentials Sessions
======= =========== ========
default default -
dev - -

When i do aws-vault exec dev -- aws s3 ls

It asks for my MFA 3 times and then gives me the following error:
aws-vault: error: exec: Failed to get credentials for dev: operation error STS: AssumeRole, exceeded maximum number of attempts, 3, failed to sign request: failed to retrieve credentials: operation error STS: GetSessionToken, exceeded maximum number of attempts, 3, https response error StatusCode: 0, RequestID: , request send failed, Post "https://sts.ap-southeast2.amazonaws.com/": dial tcp: lookup sts.ap-southeast2.amazonaws.com: no such host

From debug it seems that it found the account but then pops up error.
Tried aws-vault clear but no success.
AM i missing something here?

Below output ofaws-vault --debug exec dev -- aws s3 ls

2022/08/31 12:35:33 aws-vault v6.6.0
2022/08/31 12:35:33 Loading config file /Users//.aws/config
2022/08/31 12:35:33 Parsing config file /Users//.aws/config
2022/08/31 12:35:33 [keyring] Considering backends: [keychain]
2022/08/31 12:35:33 [keyring] Querying keychain for service="aws-vault", keychain="aws-vault.keychain"
2022/08/31 12:35:33 [keyring] Found 1 results
2022/08/31 12:35:33 [keyring] Querying keychain for service="aws-vault", keychain="aws-vault.keychain"
2022/08/31 12:35:33 [keyring] Found 1 results
2022/08/31 12:35:33 profile default: using stored credentials
2022/08/31 12:35:33 profile default: using GetSessionToken (with MFA)
2022/08/31 12:35:33 profile dev: using AssumeRole (chained MFA)
2022/08/31 12:35:33 [keyring] Querying keychain for service="aws-vault", keychain="aws-vault.keychain"
2022/08/31 12:35:33 [keyring] Found 1 results
2022/08/31 12:35:33 [keyring] Querying keychain for service="aws-vault", keychain="aws-vault.keychain"
2022/08/31 12:35:33 [keyring] Found 1 results
2022/08/31 12:35:33 [keyring] Querying keychain for service="aws-vault", account="sts.GetSessionToken,ZGVmYXVsdA,YXJuOmF3czppYW06OjExMjgwMzc0NzQyNDptZmEva2FydGhpY2sucmFtYWxpbmdhbUBhaXZlbi5pbw,-62135596800", keychain="aws-vault.keychain"
2022/08/31 12:35:33 [keyring] No results found
Enter MFA code for arn:aws:iam::112803747424:mfa/karthick.ramalingam@aiven.io: 791416
2022/08/31 12:35:56 Looking up keyring for 'default'
2022/08/31 12:35:56 [keyring] Querying keychain for service="aws-vault", account="default", keychain="aws-vault.keychain"
2022/08/31 12:35:56 [keyring] Found item "aws-vault (default)"
2022/08/31 12:35:56 Looking up keyring for 'default'
2022/08/31 12:35:56 [keyring] Querying keychain for service="aws-vault", account="default", keychain="aws-vault.keychain"
2022/08/31 12:35:56 [keyring] Found item "aws-vault (default)"
2022/08/31 12:36:00 Looking up keyring for 'default'
2022/08/31 12:36:00 [keyring] Querying keychain for service="aws-vault", account="default", keychain="aws-vault.keychain"
2022/08/31 12:36:00 [keyring] Found item "aws-vault (default)"
2022/08/31 12:36:02 [keyring] Querying keychain for service="aws-vault", keychain="aws-vault.keychain"
2022/08/31 12:36:02 [keyring] Found 1 results
2022/08/31 12:36:02 [keyring] Querying keychain for service="aws-vault", keychain="aws-vault.keychain"
2022/08/31 12:36:02 [keyring] Found 1 results
2022/08/31 12:36:02 [keyring] Querying keychain for service="aws-vault", account="sts.GetSessionToken,ZGVmYXVsdA,YXJuOmF3czppYW06OjExMjgwMzc0NzQyNDptZmEva2FydGhpY2sucmFtYWxpbmdhbUBhaXZlbi5pbw,-62135596800", keychain="aws-vault.keychain"
2022/08/31 12:36:02 [keyring] No results found
Enter MFA code for arn:aws:iam::: 289348
2022/08/31 12:36:10 Looking up keyring for 'default'
2022/08/31 12:36:10 [keyring] Querying keychain for service="aws-vault", account="default", keychain="aws-vault.keychain"
2022/08/31 12:36:10 [keyring] Found item "aws-vault (default)"
2022/08/31 12:36:10 Looking up keyring for 'default'
2022/08/31 12:36:10 [keyring] Querying keychain for service="aws-vault", account="default", keychain="aws-vault.keychain"
2022/08/31 12:36:10 [keyring] Found item "aws-vault (default)"
2022/08/31 12:36:13 Looking up keyring for 'default'
2022/08/31 12:36:13 [keyring] Querying keychain for service="aws-vault", account="default", keychain="aws-vault.keychain"
2022/08/31 12:36:13 [keyring] Found item "aws-vault (default)"
2022/08/31 12:36:15 [keyring] Querying keychain for service="aws-vault", keychain="aws-vault.keychain"
2022/08/31 12:36:15 [keyring] Found 1 results
2022/08/31 12:36:15 [keyring] Querying keychain for service="aws-vault", keychain="aws-vault.keychain"
2022/08/31 12:36:15 [keyring] Found 1 results
2022/08/31 12:36:15 [keyring] Querying keychain for service="aws-vault", account="sts.GetSessionToken,ZGVmYXVsdA,YXJuOmF3czppYW06OjExMjgwMzc0NzQyNDptZmEva2FydGhpY2sucmFtYWxpbmdhbUBhaXZlbi5pbw,-62135596800", keychain="aws-vault.keychain"
2022/08/31 12:36:15 [keyring] No results found
Enter MFA code for arn:aws:iam::: 289525
2022/08/31 12:36:24 Looking up keyring for 'default'
2022/08/31 12:36:24 [keyring] Querying keychain for service="aws-vault", account="default", keychain="aws-vault.keychain"
2022/08/31 12:36:24 [keyring] Found item "aws-vault (default)"
2022/08/31 12:36:25 Looking up keyring for 'default'
2022/08/31 12:36:25 [keyring] Querying keychain for service="aws-vault", account="default", keychain="aws-vault.keychain"
2022/08/31 12:36:25 [keyring] Found item "aws-vault (default)"
2022/08/31 12:36:28 Looking up keyring for 'default'
2022/08/31 12:36:28 [keyring] Querying keychain for service="aws-vault", account="default", keychain="aws-vault.keychain"
2022/08/31 12:36:28 [keyring] Found item "aws-vault (default)"
aws-vault: error: exec: Failed to get credentials for dev: operation error STS: AssumeRole, exceeded maximum number of attempts, 3, failed to sign request: failed to retrieve credentials: operation error STS: GetSessionToken, exceeded maximum number of attempts, 3, https response error StatusCode: 0, RequestID: , request send failed, Post "https://sts.ap-southeast2.amazonaws.com/": dial tcp: lookup sts.ap-southeast2.amazonaws.com: no such host

I tried aws-vault --debug exec dev --no-session and also with no-session but it just throws error after asking for mfa once instead of 3 times.

Amy help resolving this would be appreciated

Karthick Ramalingam · Answer 1 · Wed Aug 31 2022 09:20:55 GMT+0800 (China Standard Time)

I could not find "aws-vault " in keychain but why the debug shows Found item "aws-vault (default)"

Karthick Ramalingam · Answer 2 · Wed Aug 31 2022 10:36:03 GMT+0800 (China Standard Time)

Culprit found: the AWS region was entered incorrectly in config should be ap-southeast-2

Michael Tibben · Answer 3 · Wed Aug 31 2022 18:49:44 GMT+0800 (China Standard Time)

ok sounds like this is resolved