I am using aws codecommit as a repo for config-repo
I am facing an intermittent issue with connecting to git(codecommit) backend.
When I try to connect with Git credentials it works but not with IAM access and secret key. It says git upload pack not permitted.
But for some time it works with IAM access and secret key and not with Git credentials vice-versa.
error log
Caused by: org.eclipse.jgit.errors.TransportException: https://git-codecommit.<region>.amazonaws.com/v1/repos/<my-repo>:
git-upload-pack not permitted on 'https://git-codecommit.<region>.amazonaws.com/v1/repos/<my-repo>/'
As per official documentation, it says
If you provide a username and password with an AWS CodeCommit URI,
they must be the AWS accessKeyId and secretAccessKey that provide
access to the repository. If you do not specify a username and
password, the accessKeyId and secretAccessKey are retrieved by using
the AWS Default Credential Provider Chain.
Application.yml
spring:
profiles: dev
cloud:
config:
server:
encrypt.enabled: false
git:
# Https
uri: https://git-codecommit.<region>.amazonaws.com/v1/repos/<my-repo>
force-pull: true
clone-on-start: true
default-label: master
searchPaths: dev, stag, prod
# ---- IAM Access/secret ----
#username: 'AKI***************O6'
#password: 'Fz+*************************csJQ'
# ---- Git credentials ----
username: '<my-repo>-at-18*********72'
password: '0Z0X*****************************bUB5w='
autoconfigure:
exclude: org.springframework.cloud.aws.autoconfigure.context.ContextStackAutoConfiguration
I was able to run the app with either of them but it stops working in meantime, I can not figure out the reason for why it's not working with IAM credentials.
Dependency version
spring-boot-starter-parent: 2.3.2.RELEASE
spring-cloud-dependencies: Hoxton.SR7
spring-cloud-config: 2.2.4.RELEASE
Related
I want to fetch configuration properties from Parameter Store on boostrap application, for that I am using io.awspring.cloud:spring-cloud-starter-aws-parameter-store-config:2.3.3 and I run the same configuration on Windows where it works but on linux ec2 instance or WSL2 I am receiving below error message:
AwsParameterPropertySourceNotFoundException: com.amazonaws.SdkClientException: Unable to load AWS credentials from any provider in the chain: [EnvironmentVariableCredentialsProvider: Unable to load AWS credentials from environment variables (AWS_ACCESS_KEY_ID (or AWS_ACCESS_KEY) and AWS_SECRET_KEY (or AWS_SECRET_ACCESS_KEY))
but before run it I am doing
export AWS_ACCESS_KEY_ID="xxxx"
export AWS_SECRET_ACCESS_KEY="xxxxx"
I also verify it using printenv and yes they are there. So the question is why I am receiving ...Unable to load AWS credentials from environment variables AWS_ACCESS_KEY_ID or AWS_SECRET_ACCESS_KEY...does anyone know?
EDIT:
Forgot to mention but I use
io.awspring.cloud:spring-cloud-starter-aws-parameter-store-config
with configuration:
cloud:
aws:
credentials:
access-key: ${AWS_ACCESS_KEY_ID}
secret-key: ${AWS_SECRET_ACCESS_KEY}
region:
static: eu-west-1
auto: false
use-default-aws-region-chain: true
stack:
auto: false
But underhood it use DefaultAWSCredentialsProviderChain so it should works like AWS SDK for Java
I have an spring boot application .jar, based on spring batch,and it is not a web application, and I'm using a ksh script to Launch it on my server side.
for some performance observation, we decide to install Spring Boot Admin for this app, using a "sba.war" that is already deployed in another web application on another server, I tried to drop the sba.war beside my applicationBatch.war after updating the application.yml file and import the SBA dependency on my build.gradle file :
spring:
datasource:
# BDD DEV
url: jdbc:oracle:thin:#xxxx:9999:AAAAA
username: xxxxxx
password: xxxxxx
# SBA DEV
boot:
admin:
client:
enabled: true
instance:
service-base-url: https://xxxxx.com
url: https://xxxxx.com/sba
username: username
password: password
so the problem is, that my application is not deployed on a tomcat server, it is runned by the ksh script on it's embeded server.
So can I anyhow use the embeded server of SBA to run it ?
I cannot connect to DynamoDB that is running local using cli.
aws dynamodb list-tables --endpoint-url http://localhost:8000
Could not connect to the endpoint URL: "http://localhost:8000/"
This doesn't work either:
aws dynamodb list-tables --region local
Could not connect to the endpoint URL: "http://localhost:8000/"
I tried using a different port and that didn't help. I disabled all proxies too.
I am able to connect to DynamoDB using an application like this so I know it's not a dynamodb issue:
aws dynamodb list-tables --endpoint-url http://dynamodb.us-west-2.amazonaws.com --region us-west-2
{
"TableNames": [
"Music"
]
}
ðŸ˜ðŸ˜ðŸ˜
When you run
java -Djava.library.path=./DynamoDBLocal_lib -jar DynamoDBLocal.jar -sharedDb
command from your terminal make sure output will be like below and no service will be running on port 8000:
Initializing DynamoDB Local with the following configuration:
Port: 8000
InMemory: false
DbPath: null
SharedDb: true
shouldDelayTransientStatuses: false
CorsParams: *
It means, this service running successfully on port 8000.
DynamoDB requires any/fake credentials to work.
AWS Access Key ID: "fakeMyKeyId"
AWS Secret Access Key: "fakeSecretAccessKey"
then try below command to list tables.
aws dynamodb list-tables --endpoint-url http://localhost:8000
The error in your logs is the key here Caused by: java.lang.UnsatisfiedLinkError: no sqlite4java-osx-x86_64 in java.library.path: [.]
This means that the specific dependency cannot be located.
The link that Saranjeet provided has a few solutions. I prefer this solution for testing:
First, you need to download the zip file from offcial website. Unzip the file, copy all the *.dll, *.dylib, *.so to a folder under your project root. Say, src/test/resources/libs.
Then, add the code
System.setProperty("sqlite4java.library.path", "src/test/resources/libs/");
before you initialize a local instance of AmazonDynamoDB.
I am trying to use HashiCorp Vault using Spring Cloud Vault on Spring Boot project. I configured my bootstrap.yml file to use app role and secret id to get passwords
bootstrap.yml
spring:
application:
name: pres
cloud:
vault:
authentication: APPROLE
app-role:
role-id: ${role-id}
secret-id: ${secret-id}
role: pres-read
app-role-path: approle
uri: https://hostname:8200
kv:
enabled: true
backend: secret
application-name: pres
profiles:
include: dev
During startup I get the following exception
org.springframework.vault.authentication.VaultLoginException: Cannot login using org.springframework.web.client.ResourceAccessException: I/O error on POST request for "https://hostname:8200/v1/auth/approle/login": extension (5) should not be presented in certificate_request; nested exception is javax.net.ssl.SSLHandshakeException: extension (5) should not be presented in certificate_request
I am using spring-cloud-starter-vault-config dependency to access the vault
<dependency>
<groupId>org.springframework.cloud</groupId>
<artifactId>spring-cloud-starter-vault-config</artifactId>
<version> 2.2.2.RELEASE</version>
</dependency>
Okay. It looks like this is a Java TLS Bug, hoping java team will fix this in Java 11.0.8.
Update: The issue was fixed in latest Java 11 versions
I am trying to run a spring cloud config application inside a docker container spawned by ECS. I am having issues correctly setting this up so that the meta data is used to clone the git repo from CodeCommit
I have the following settings
pom.xml dependencies
<dependency>
<groupId>org.springframework.cloud</groupId>
<artifactId>spring-cloud-config-server</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.cloud</groupId>
<artifactId>spring-cloud-starter-aws</artifactId>
</dependency>
application.yml
# some other non related settings such as port
spring:
cloud:
config:
server:
git:
uri: https://git-codecommit.eu-central-1.amazonaws.com/v1/repos/<repo name>
skip-ssl-validation: true
cloud:
aws:
credentials:
instance-profile: true
stack:
auto: false
in the docker logs I can find the following
2019-04-25 16:37:54.209 WARN 1 --- [nio-5000-exec-1] .c.s.e.MultipleJGitEnvironmentRepository : Error occured cloning to base directory.
org.eclipse.jgit.api.errors.TransportException: https://git-codecommit.eu-central-1.amazonaws.com/v1/repos/<repo name>: git-upload-pack not permitted on 'https://git-codecommit.eu-central-1.amazonaws.com/v1/repos/<repo name>/'
If I am understanding this correctly; according to the spring cloud config documentation, when you use a CodeCommit git url and don't specify a username and password, it should automatically default to the AWS Credentials Chain, which has instance profile credentials as the final option.
If you provide a username and password with an AWS CodeCommit URI, they must be the AWS accessKeyId and secretAccessKey that provide access to the repository.
If you do not specify a username and password, the accessKeyId and secretAccessKey are retrieved by using the AWS Default Credential Provider Chain.