Support Questions

Find answers, ask questions, and share your expertise

Error "Could not verify credential" while trying to add credentials in cloudbreak

avatar

Hi,

I am trying to do something very basic in cloudbreak and am keep getting this error and hence I am wondering if someone can point me in right direction.

I am trying to add credentials in cloudbreak for cluster provisioning. So far I have done is that

  1. I have created a aws instance for cloudbreak with user x in aws
  2. Created a IAM user=cloudbreak and IAM role (role definition below) and created instance profile for IAM role.
  3. Assign the instance profile to the cloudbreak instance
  4. Setted up cloudbreak following the documentations on the instance from #1
  5. Now I want to add credential in cloudbreak with roleArn as what I created in #2 and I have added aws_access_key and aws_secret_key of user from #2 to the environment and in the Profile file. Ran cbd generate and cbd start afterwards
  6. from cbd shell/web ui when I try to add credentials as mentioned in CBD shell command below. But I keep getting the error that key and secret environment variables not set. I have verified that cbd environment show command does list them correctly.
  7. Also I tried overwriting docker-compose.yml to set those variables explicitly in cloudbreak/environment section. But when I do cbd kill and cbd start, it force me to run cbd regenerate and if I do that then I lose what I set explicitly
This is how my role looks like
{
"Version": "2012-10-17",
"Statement": [
 {
   "Sid": "",
   "Effect": "Allow",
   "Principal": {
    "AWS": "${aws_iam_user.cloudbreak.arn}"
   },
   "Action": "sts:AssumeRole",
   "Condition": {
     "StringEquals": {
       "sts:ExternalId": "provision-ambari"
      }
     }
    }
  ]
}
CBD Shell Command
credential create --AWS --name cloudbreak --roleArn "arn:aws:iam::xxxx:role/cloudbreak-access" --accessKey xxxxx --secretKey "xxxxxx"  --sshKeyString "xxxxx" --publicInAccount true

Command failed java.lang.RuntimeException: Failed to verify the credential: Could not verify credential [credential: 'cloudbreak'], detailed message: The 'AWS_ACCESS_KEY_ID' and 'AWS_SECRET_ACCESS_KEY' environment variables must be set or an instance profile role should be available.

I have been stuck on this for few days now. Any help around this will be really appreciated.

Thanks & Regards,

Atul Aggarwal

1 ACCEPTED SOLUTION

avatar
Contributor

Hi @Atul Aggarwal,

You have 2 options: using key-based or role-based credentials.

Key-based credential:

  • you can set your AWS keys of an IAM user with an "AssumeRole" policy in the Profile file. In this case you don't need the instance profile
export AWS_ACCESS_KEY_ID=AKIA**************W7SA
export AWS_SECRET_ACCESS_KEY=RWCT4Cs8******************/*skiOkWD
  • This iam user has the generate-role policy next to the assume-role policy.
  • in this case you can use the following command to generate an iam role for cloudbreak with the following cbd commands:
cbd aws generate-role  - Generates an AWS IAM role for Cloudbreak provisioning on AWS
cbd aws show-role      - Show assumers and policies for an AWS role
cbd aws delete-role    - Deletes an AWS IAM role, removes all inline policies
  • After the role generation you can use the generated role for the credential creation from cb shell:

credential create --AWS --name cloudbreak --roleArn "arn:aws:iam::xxxx:role/cbreak-deployer" --sshKeyString "xxxxx" --publicInAccount true

If you use the roleArn for credential creation, you don't need to use the accesskey and secretkey in the command.

Role-based credential:

  • You can create an IAM user with "AssumeRole" policy. The "generate-role" policy will be necessary here as well.
  • To configure role-based credentials, start your instance with an "AssumeRole" policy. For more information, see Using Instance Profiles and Using an IAM Role to Grant Permissions to Applications Running on Amazon EC2 Instances.
  • In this case you don't need to set the aws access and secret key in the Profile file.
  • After this the 3-4 steps from the Key based credential have to be executed.

You can find the details in the documentation here:

http://sequenceiq.com/cloudbreak-docs/latest/aws/#configure-role-based-credentials

View solution in original post

3 REPLIES 3

avatar
Contributor

Hi @Atul Aggarwal,

You have 2 options: using key-based or role-based credentials.

Key-based credential:

  • you can set your AWS keys of an IAM user with an "AssumeRole" policy in the Profile file. In this case you don't need the instance profile
export AWS_ACCESS_KEY_ID=AKIA**************W7SA
export AWS_SECRET_ACCESS_KEY=RWCT4Cs8******************/*skiOkWD
  • This iam user has the generate-role policy next to the assume-role policy.
  • in this case you can use the following command to generate an iam role for cloudbreak with the following cbd commands:
cbd aws generate-role  - Generates an AWS IAM role for Cloudbreak provisioning on AWS
cbd aws show-role      - Show assumers and policies for an AWS role
cbd aws delete-role    - Deletes an AWS IAM role, removes all inline policies
  • After the role generation you can use the generated role for the credential creation from cb shell:

credential create --AWS --name cloudbreak --roleArn "arn:aws:iam::xxxx:role/cbreak-deployer" --sshKeyString "xxxxx" --publicInAccount true

If you use the roleArn for credential creation, you don't need to use the accesskey and secretkey in the command.

Role-based credential:

  • You can create an IAM user with "AssumeRole" policy. The "generate-role" policy will be necessary here as well.
  • To configure role-based credentials, start your instance with an "AssumeRole" policy. For more information, see Using Instance Profiles and Using an IAM Role to Grant Permissions to Applications Running on Amazon EC2 Instances.
  • In this case you don't need to set the aws access and secret key in the Profile file.
  • After this the 3-4 steps from the Key based credential have to be executed.

You can find the details in the documentation here:

http://sequenceiq.com/cloudbreak-docs/latest/aws/#configure-role-based-credentials

avatar

thanks @fschneider! I am trying to follow the steps you gave. It is almost what I did for role based credentials, except I didnt have assigned user the assume role policy. But I think hortonworks S3 is not working from past couple of hours for me to try it again after the recommendations.

This is giving me internal error.

curl -Ls s3.amazonaws.com/public-repo-1.hortonworks.com/HDP/cloudbreak/cloudbreak-deployer_1.6.3_$(uname)_x86_64.tgz

I will try when this will start working.

Thanks & Regards, Atul Aggarwal

avatar

Thanks @fschneider! I was doing role based credentials and I was able to get around with error, but I had to put the access keys in the profile file. If I don't do it, I always get the error. From my previous steps I realized I forgot to add policy for the user

Thanks & Regards

Atul Aggarwal