AWS Credential rotator fails silently with no logs
PapoyEdits opened this issue · comments
Summary
So we've been using Conjur-OSS for some time now, primarily to help with rotating AWS credentials, which has worked fine previously. But recently we noticed that the rotations has failed silently, and has done so for quite a long time, with no log messages that we could find as to why.
So I'm wondering, should there be logs printed about the rotator failure? Do we need to tweak the log-level (didn't find if that was possible with OSS, though the Enterprise version said you could set a environment variable for it)?
Steps to Reproduce
Haven't tested it on a "clean" instance, but whenever we create a new set of variables (all according to docs) and initialize them with the AWS credentials (and the User has correct IAM permissions), they don't rotate. Existing variables that have been able to rotate previously, have also stopped.
Expected Results
- First off, that the credentials should be rotated when variables according to https://docs.conjur.org/Latest/en/Content/Operations/Services/rotation-secrets.html?tocpath=Administration%7C_____2 exist and contain valid AWS credentials, and the AWS IAM User has the correct permissions.
- Second off, that if there is a failure in rotation, there should be clear log messages to help troubleshoot in the server logs.
Actual Results
Credentials are not rotated and no logs appear.
Reproducible
Always the same result for us, but haven't tested on a "clean" setup.
Version/Tag number
We're running rather old versions of the docker images (planning to update soon),
- conjur:1.11.6
- conjur-cli:5-6.2.3
Docker Engine Client/Server - 19.03.13
Environment setup
- Running on AWS EC2 RHEL 7 instances, using docker-compose
Hi @PapoyEdits , Thanks for submitting this issue. Did anything change when the rotations stopped working?
As these things go, after a couple of restarts, the rotation magically started working again, so closing this.