java AWS 无法验证提供的访问凭证
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/27685288/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
AWS was not able to validate the provided access credentials
提问by Sunil Gulabani
I have been trying to create Security Group using AWS SDK, but somehow it fails to authenticate it. For the specific Access Key and Secret Key, i have provided the Administrative rights, then also it fails to validate. On the other side, I tried the same credentials on AWS S3 Example, it successfully executes.
我一直在尝试使用 AWS SDK 创建安全组,但不知何故无法对其进行身份验证。对于特定的访问密钥和秘密密钥,我提供了管理权限,但它也无法验证。另一方面,我在 AWS S3 Example 上尝试了相同的凭证,它成功执行。
Getting following error while creating security group:
创建安全组时出现以下错误:
com.amazonaws.AmazonServiceException: AWS was not able to validate the provided access credentials (Service: AmazonEC2; Status Code: 401; Error Code: AuthFailure; Request ID: 1584a035-9a88-4dc7-b5e2-a8b7bde6f43c)
at com.amazonaws.http.AmazonHttpClient.handleErrorResponse(AmazonHttpClient.java:1077)
at com.amazonaws.http.AmazonHttpClient.executeOneRequest(AmazonHttpClient.java:725)
at com.amazonaws.http.AmazonHttpClient.executeHelper(AmazonHttpClient.java:460)
at com.amazonaws.http.AmazonHttpClient.execute(AmazonHttpClient.java:295)
at com.amazonaws.services.ec2.AmazonEC2Client.invoke(AmazonEC2Client.java:9393)
at com.amazonaws.services.ec2.AmazonEC2Client.createSecurityGroup(AmazonEC2Client.java:1146)
at com.sunil.demo.ec2.SetupEC2.createSecurityGroup(SetupEC2.java:84)
at com.sunil.demo.ec2.SetupEC2.main(SetupEC2.java:25)
Here is the Java Code:
这是Java代码:
public class SetupEC2 {
AWSCredentials credentials = null;
AmazonEC2Client amazonEC2Client ;
public static void main(String[] args) {
SetupEC2 setupEC2Instance = new SetupEC2();
setupEC2Instance.init();
setupEC2Instance.createSecurityGroup();
}
public void init(){
// Intialize AWS Credentials
try {
credentials = new BasicAWSCredentials("XXXXXXXX", "XXXXXXXXX");
} catch (Exception e) {
throw new AmazonClientException(
"Cannot load the credentials from the credential profiles file. " +
"Please make sure that your credentials file is at the correct " +
"location (/home/sunil/.aws/credentials), and is in valid format.",
e);
}
// Initialize EC2 instance
try {
amazonEC2Client = new AmazonEC2Client(credentials);
amazonEC2Client.setEndpoint("ec2.ap-southeast-1.amazonaws.com");
amazonEC2Client.setRegion(Region.getRegion(Regions.AP_SOUTHEAST_1));
} catch (Exception e) {
e.printStackTrace();
}
}
public boolean createSecurityGroup(){
boolean securityGroupCreated = false;
String groupName = "sgec2securitygroup";
String sshIpRange = "0.0.0.0/0";
String sshprotocol = "tcp";
int sshFromPort = 22;
int sshToPort =22;
String httpIpRange = "0.0.0.0/0";
String httpProtocol = "tcp";
int httpFromPort = 80;
int httpToPort = 80;
String httpsIpRange = "0.0.0.0/0";
String httpsProtocol = "tcp";
int httpsFromPort = 443;
int httpsToProtocol = 443;
try {
CreateSecurityGroupRequest createSecurityGroupRequest = new CreateSecurityGroupRequest();
createSecurityGroupRequest.withGroupName(groupName).withDescription("Created from AWS SDK Security Group");
createSecurityGroupRequest.setRequestCredentials(credentials);
CreateSecurityGroupResult csgr = amazonEC2Client.createSecurityGroup(createSecurityGroupRequest);
String groupid = csgr.getGroupId();
System.out.println("Security Group Id : " + groupid);
System.out.println("Create Security Group Permission");
Collection<IpPermission> ips = new ArrayList<IpPermission>();
// Permission for SSH only to your ip
IpPermission ipssh = new IpPermission();
ipssh.withIpRanges(sshIpRange).withIpProtocol(sshprotocol).withFromPort(sshFromPort).withToPort(sshToPort);
ips.add(ipssh);
// Permission for HTTP, any one can access
IpPermission iphttp = new IpPermission();
iphttp.withIpRanges(httpIpRange).withIpProtocol(httpProtocol).withFromPort(httpFromPort).withToPort(httpToPort);
ips.add(iphttp);
//Permission for HTTPS, any one can accesss
IpPermission iphttps = new IpPermission();
iphttps.withIpRanges(httpsIpRange).withIpProtocol(httpsProtocol).withFromPort(httpsFromPort).withToPort(httpsToProtocol);
ips.add(iphttps);
System.out.println("Attach Owner to security group");
// Register this security group with owner
AuthorizeSecurityGroupIngressRequest authorizeSecurityGroupIngressRequest = new AuthorizeSecurityGroupIngressRequest();
authorizeSecurityGroupIngressRequest.withGroupName(groupName).withIpPermissions(ips);
amazonEC2Client.authorizeSecurityGroupIngress(authorizeSecurityGroupIngressRequest);
securityGroupCreated = true;
} catch (Exception e) {
// TODO: handle exception
e.printStackTrace();
securityGroupCreated = false;
}
System.out.println("securityGroupCreated: " + securityGroupCreated);
return securityGroupCreated;
}
}
回答by M. R?thenmund
Try to update your Systemtime.
尝试更新您的系统时间。
When the diffrence between AWS-datetime and your datetime are too big, the credentials will not accepted.
当 AWS-datetime 和您的 datetime 之间的差异太大时,凭证将不被接受。
For Debian/Ubuntu Users:
对于 Debian/Ubuntu 用户:
when you never set your time-zone you can do this with
当你从不设置时区时,你可以这样做
sudo dpkg-reconfigure tzdata
Stop the ntp-Service, because too large time diffrences, cannot be changed by running service.
停止ntp-Service,因为时差太大,不能通过运行service来改变。
sudo /etc/init.d/ntp stop
Syncronize your time and date (-q Set the time and quit / Run only once) (-g Allow the first adjustment to be Big) (-x Slew up to 600 seconds / Adjuste also time witch large diffrences) (-n Do not fork / process will not going to background)
同步您的时间和日期(-q 设置时间并退出/仅运行一次)(-g 允许第一次调整较大)(-x 最多可调整 600 秒/调整时间也有较大差异)(-n 不要fork / 进程不会进入后台)
sudo ntpd -q -g -x -n
Restart service
重启服务
sudo /etc/init.d/ntp start
check actual system-datetime
检查实际系统日期时间
sudo date
set system-datetime to your hardware-datetime
将系统日期时间设置为您的硬件日期时间
sudo hwclock --systohc
show your hardware-datetime
显示您的硬件日期时间
sudo hwclock
回答by ozOli
If you put your credentials in ~/.aws/credentials then you don't need to provide a parameter to your AmazonEC2Client call. If you do this then on an EC2 instance the same code will work with Assumed STS roles.
如果您将凭证放在 ~/.aws/credentials 中,那么您无需为 AmazonEC2Client 调用提供参数。如果您这样做,那么在 EC2 实例上,相同的代码将适用于假定的 STS 角色。
For more info see: http://docs.aws.amazon.com/AWSSdkDocsJava/latest/DeveloperGuide/credentials.html
有关更多信息,请参阅:http: //docs.aws.amazon.com/AWSSdkDocsJava/latest/DeveloperGuide/credentials.html
回答by Vietnhi Phuvan
"A client error (AuthFailure) occurred when calling the [Fill-in the blanks] operation: AWS was not able to validate the provided access credentials"
“调用 [Fill-in the blanks] 操作时发生客户端错误 (AuthFailure):AWS 无法验证提供的访问凭证”
If you are confident of the validity of AWS credentials i.e. access key and secret key and corresponding profile name, your date and time being off-track is a very good culprit.
In my case, I was confident but I was wrong - I had used the wrong keys. Doesn't hurt to double check.
Let's say that you created an IAM user called "guignol". Configure "guignol" in ~/.aws/configas follows:
[profile guignol] region = us-east-1 aws-access-key_id = AKXXXYYY... aws-secret-key-access = ...
如果您确信 AWS 凭证(即访问密钥和秘密密钥以及相应的配置文件名称)的有效性,那么您偏离轨道的日期和时间就是一个很好的罪魁祸首。
就我而言,我很自信,但我错了——我用错了钥匙。仔细检查没有坏处。
假设您创建了一个名为“guignol”的 IAM 用户。在~/.aws/config 中配置“guignol”,如下所示:
[profile guignol] region = us-east-1 aws-access-key_id = AKXXXYYY... aws-secret-key-access = ...
Install the aws cli (command level interface) if you haven't already done so. As a test, run aws ec2 describe-instances --profile guignolIf you gat an error message that aws was not able to validate the credentials, run aws configure --profile guignol, enter your credentials and run the test command again.
如果您还没有安装 aws cli(命令级界面),请安装。作为测试,运行aws ec2 describe-instances --profile guignol如果您收到一条错误消息,提示 aws 无法验证凭据,请运行aws configure --profile guignol,输入您的凭据并再次运行测试命令。
