Support Questions

Find answers, ask questions, and share your expertise

Horotonworks Data Cloud error autoscaling token expired

avatar

I am provisioning a cluster using version 1.14.0 of Hortonworks Data Cloud. The Autoscaling status slider is in the off position, but cluster provisioning fails with the following error on the auto scaling token:

Infrastructure creation failed. Reason: com.amazonaws.AmazonServiceException: The security token included in the request is expired (Service: AmazonAutoScaling; Status Code: 403; Error Code: ExpiredToken; Request ID: cf2aebb0-2cec-11e7-8985-4100dda4669c)

The autoscaling tab on the failed cluster in the cloud controller, shows the cluster trying to autoscale to 3 nodes:

1 ACCEPTED SOLUTION

avatar

In case this helps, back in March I got this error when using HDP 2.5 EDW-ETL in us-east.

In my case, for some reason the infrastructure creation took too long (1 hour instead of 5 minutes) and the security token expired during that time.

In addition to what Jeff said, it may help to check the CloudFormation UI on the AWS console, find your stack and post the data from the “Events” and “Resources” tabs.

14971-unknown.png

View solution in original post

25 REPLIES 25

avatar
Explorer

Thanks @Dominika Bialek I'm using 1.14.1. Unfortunately I'm stuck in US east since all our other infra is there.

avatar

Oh 😞 The last thing that I can think of is that this is related to the instance type so you could try using a different type than default.

@Marton Sereg @Attila Kanto I can reproduce this error. I don't see anything unusual in the CloudFormation console (It showed AutoScaling group creation in progress). Could you recommend which cloudbreak log to access and what to look for? I accessed /var/lib/cloudbreak-deployment/cbreak.log on the cloud controller instance but wasn't sure what to look for. Here is what I found:

/cbreak_identity_1 | [2017-05-02 20:09:45.851] cloudfoundry-identity-server - ???? [http-nio-8080-exec-5] .... DEBUG --- UaaRequestMatcher: [oauthAuthorizeRequestMatcher] Checking match of request : '/check_token'; '/oauth/authorize' with parameters={response_type=token, source=credentials} and headers {accept=[application/json, application/x-www-form-urlencoded]}
/cbreak_identity_1 | [2017-05-02 20:09:45.852] cloudfoundry-identity-server - ???? [http-nio-8080-exec-5] .... DEBUG --- UaaRequestMatcher: [oauthAuthorizeApiRequestMatcher] Checking match of request : '/check_token'; '/oauth/authorize' with parameters={response_type=code, client_id=} and headers {Authorization=[bearer ]}
/cbreak_identity_1 | [2017-05-02 20:09:45.853] cloudfoundry-identity-server - ???? [http-nio-8080-exec-5] .... DEBUG --- UaaRequestMatcher: [xOauthCallbackRequestMatcher] Checking match of request : '/check_token'; '/login/callback' with parameters={code=} and headers {}
/cbreak_identity_1 | [2017-05-02 20:09:45.853] cloudfoundry-identity-server - ???? [http-nio-8080-exec-5] .... DEBUG --- UaaRequestMatcher: [oauthAuthorizeRequestMatcherOld] Checking match of request : '/check_token'; '/oauth/authorize' with parameters={response_type=token, credentials={} and headers {accept=[application/json, application/x-www-form-urlencoded]}
/cbreak_identity_1 | [2017-05-02 20:09:45.851] cloudfoundry-identity-server - ???? [http-nio-8080-exec-9] .... DEBUG --- UaaRequestMatcher: [loginAuthenticateRequestMatcher] Checking match of request : '/check_token'; '/authenticate' with parameters={} and headers {Authorization=[bearer ], accept=[application/json]}
/cbreak_identity_1 | [2017-05-02 20:09:45.854] cloudfoundry-identity-server - ???? [http-nio-8080-exec-9] .... DEBUG --- UaaRequestMatcher: [loginAuthorizeRequestMatcher] Checking match of request : '/check_token'; '/oauth/authorize' with parameters={source=login} and headers {accept=[application/json]}
/cbreak_identity_1 | [2017-05-02 20:09:45.855] cloudfoundry-identity-server - ???? [http-nio-8080-exec-9] .... DEBUG --- UaaRequestMatcher: [loginTokenRequestMatcher] Checking match of request : '/check_token'; '/oauth/token' with parameters={source=login, grant_type=password, add_new=} and headers {Authorization=[bearer ], accept=[application/json]}
/cbreak_identity_1 | [2017-05-02 20:09:45.855] cloudfoundry-identity-server - ???? [http-nio-8080-exec-9] .... DEBUG --- UaaRequestMatcher: [loginAuthorizeRequestMatcherOld] Checking match of request : '/check_token'; '/oauth/authorize' with parameters={login={} and headers {accept=[application/json]}
/cbreak_identity_1 | [2017-05-02 20:09:45.856] cloudfoundry-identity-server - ???? [http-nio-8080-exec-9] .... DEBUG --- UaaRequestMatcher: [passcodeTokenMatcher] Checking match of request : '/check_token'; '/oauth/token' with parameters={grant_type=password, passcode=} and headers {accept=[application/json, application/x-www-form-urlencoded]}
/cbreak_identity_1 | [2017-05-02 20:09:45.856] cloudfoundry-identity-server - ???? [http-nio-8080-exec-9] .... DEBUG --- UaaRequestMatcher: [oauthAuthorizeRequestMatcher] Checking match of request : '/check_token'; '/oauth/authorize' with parameters={response_type=token, source=credentials} and headers {accept=[application/json, application/x-www-form-urlencoded]}
/cbreak_identity_1 | [2017-05-02 20:09:45.857] cloudfoundry-identity-server - ???? [http-nio-8080-exec-9] .... DEBUG --- UaaRequestMatcher: [oauthAuthorizeApiRequestMatcher] Checking match of request : '/check_token'; '/oauth/authorize' with parameters={response_type=code, client_id=} and headers {Authorization=[bearer ]}
/cbreak_identity_1 | [2017-05-02 20:09:45.857] cloudfoundry-identity-server - ???? [http-nio-8080-exec-9] .... DEBUG --- UaaRequestMatcher: [xOauthCallbackRequestMatcher] Checking match of request : '/check_token'; '/login/callback' with parameters={code=} and headers {}
/cbreak_identity_1 | [2017-05-02 20:09:45.858] cloudfoundry-identity-server - ???? [http-nio-8080-exec-9] .... DEBUG --- UaaRequestMatcher: [oauthAuthorizeRequestMatcherOld] Checking match of request : '/check_token'; '/oauth/authorize' with parameters={response_type=token, credentials={} and headers {accept=[application/json, application/x-www-form-urlencoded]}
/cbreak_identity_1 | [2017-05-02 20:09:45.860] cloudfoundry-identity-server - ???? [http-nio-8080-exec-5] .... DEBUG --- DisableIdTokenResponseTypeFilter: Processing id_token disable filter
/cbreak_identity_1 | [2017-05-02 20:09:45.861] cloudfoundry-identity-server - ???? [http-nio-8080-exec-9] .... DEBUG --- DisableIdTokenResponseTypeFilter: Processing id_token disable filter
/cbreak_identity_1 | [2017-05-02 20:09:45.862] cloudfoundry-identity-server - ???? [http-nio-8080-exec-9] .... DEBUG --- DisableIdTokenResponseTypeFilter: pre id_token disable:false pathinfo:null request_uri:/check_token response_type:null
/cbreak_identity_1 | [2017-05-02 20:09:45.862] cloudfoundry-identity-server - ???? [http-nio-8080-exec-9] .... DEBUG --- DisableIdTokenResponseTypeFilter: post id_token disable:false pathinfo:null request_uri:/check_token response_type:null

avatar
Explorer

Thanks @Dominika Bialek For some reason I can't post questions in the Data Cloud track even though we've been an HDP customer with an AWS cluster running since last Nov. Is there anything I can do to help figure out why this is happening?

avatar

Hi @DL Did you follow the instructions at http://docs.hortonworks.com/HDPDocuments/HDCloudAWS/HDCloudAWS-1.14.1/bk_hdcloud-aws/content/gethelp... to sign up for the Hortonworks Data Cloud track? If not, you need to do that first. If yes, then maybe we can create a separate question about this.

avatar
Explorer

@Dominika BialekI did but it said I already had an account with my work email and wouldn't let me do anything. Do I have to somehow delete this account and start all over?

avatar

@jeff @Julia Ostrowski Can you help?

avatar
Rising Star

@cduby @DL

If you're using spot instances, can you try to increase the bid price, or without spot instances first?

I can see on the screenshots that infrastructure creation is taking more than an hour (it should be around 5 mins with on-demand instances, and a few mins more with spot priced instances). You can try to check the spot requests page and see if there are any messages there, like "request is pending".

So the main problem is that infra creation is taking too much time and that's why the temporary credentials used by HDC are expired - it is still a bug because spot instance requests can sometimes take more than an hour to fulfill and HDC should be able to handle that.

But for now as a workaround you should find out what is taking too long (my guess is spot requests), and change the cluster configuration according to that - different instance types, bid price, etc..

avatar
Explorer

I have spot instances unchecked so it shouldn't be using them at all, but it seems to be. I also tried to add a worker late last night and no luck (same timeout after an hour). I terminated the cluster (for the third time). Will try again and take screenshots

avatar
Explorer

Trying now. Spot is unchecked, autoscaling unchecked, here is the json:

{ "ClusterName": "cluster-6", "HDPVersion": "2.6", "ClusterType": "EDW-ETL: Apache Hive 1.2.1, Apache Spark 2.1", "Master": { "InstanceType": "r3.xlarge", "VolumeType": "ephemeral", "VolumeSize": 80, "VolumeCount": 1 }, "Worker": { "InstanceType": "r3.xlarge", "VolumeType": "gp2", "VolumeSize": 500, "VolumeCount": 1, "InstanceCount": 4, "RecoveryMode": "AUTO" }, "Compute": { "InstanceType": "m3.xlarge", "VolumeType": "ephemeral", "VolumeSize": 40, "VolumeCount": 2, "InstanceCount": 0, "RecoveryMode": "AUTO" }, "SSHKeyName": "xxx-pem", "RemoteAccess": "x.x.x.x/32", "WebAccess": true, "HiveJDBCAccess": true, "ClusterComponentAccess": true, "ClusterAndAmbariUser": "admin", "ClusterAndAmbariPassword": "", "Tags": {}, "Autoscaling": { "Configurations": { "CooldownTime": 30, "ClusterMinSize": 3, "ClusterMaxSize": 100 } }, "InstanceRole": "CREATE" }

avatar

@Marton Sereg I was not using spot instances but perhaps the setting is not read properly?