This article discusses an authentication issue when OpsCenter connects to an S3 bucket using the default AWS credential provider chain.
- DataStax OpsCenter 6.5.2 or earlier
- DataStax OpsCenter 6.1.9 or earlier
Attempts to add Amazon S3 as a backup location in OpsCenter with
AWS Credential Provider chain as the credentials source fails with the following error:
Location validation error: Unable to authenticate against AWS with the provided key and secret.
OpsCenter uses the AWS SDK for Java to access AWS infrastructure services such as S3. For AWS environments which use EC2 instance profile credentials (i.e. IAM role credentials which exist in the EC2 instance metadata), OpsCenter allows the use of these credentials when backing up to an S3 bucket without users having to explicitly provide API keys (OPSC-5161).
When OpsCenter tries to get the AWS key and secret from the credentials object returned by the
DefaultAWSCredentialsProviderChain instance, the key and secret get cloned into a
BasicAWSCredentials object so that OpsCenter can override the default
toString method to prevent the credentials from accidentally "leaking" into logs. In some situations, the resulting
BasicAWSCredentials object is malformed (OPSC-14939) and authentication against S3 fails with the error above.
If using an affected version of OpsCenter, temporarily switch to supplying the AWS credentials when adding an Amazon S3 backup location.
Upgrade to the latest version of OpsCenter to take advantage of all the new improvements and latest fixes.
The AWS SDK retrieves the EC2 instance credentials and OpsCenter saves them in a credentials object which gets cached in memory. However, instance profile credentials are temporary and the associated session token eventually expire which can cause backups to fail (OPSC-15138). See Expired AWS credentials result in failed OpsCenter backups to S3 location for details.