AWS Developer Forums: transient failure using aws:sourceip ...

transient failure using aws:sourceip

Posted by:

S. Moser

Posted on: Oct 19, 2010 8:17 AM

Hi,
I'm trying to use aws:SourceIp to limit a set of credentials.

{
"Statement":[ {
   "Effect":"Deny",
   "Action":"*",
   "Resource":"*",
   "Condition":{
     "NotIpAddress":{ "aws:SourceIp":["My.IP.Addr.Here/32"] }
   }
}]
}

I have other policy statements in affect, but this one seems to be causing sporadic / transient failures.

I have reproduced this on 2 separate systems with different IP addresses (one system heavily firewalled, one with no outbound connection restrictions). If I have the above policy in place, and try to do s3 bucket lists some will get 'access denied'.

I originally saw the error during a ec2-upload-bundle, the 5th part failed to upload.
I've got a loop running a ls of a single file (using s3cmd) and then sleeping for 2 seconds and repeating. The result is success for a minute or two, then failure for a minute or two, then success again...

The bucket I'm seeing transient failures in is in ap-southeast-1. I have similarly named buckets in each of the other 4 regions, with the same file in them (ie <base-bucket>-<S3_LOCATION>/file. I can't seem to reproduce the issue with any other region.

I can't imagine that this is a result of policies taking time to propagate as the policies haven't been touched for 10s of minutes at this point and I'm seeing it. The original failure that I saw had untouched policies for hours. If it didn't work sometimes, i would expect slightly different permissions on buckets, but the sporadic success seems to indicate that that is not the case.

Has anyone else seen results like this?

Message was edited by: S. Moser

Replies: 8 | Pages: 1 - Last Post: Oct 21, 2010 6:41 AM by: S. Moser

Replies

Re: transient failure using aws:sourceip

Posted by:

KevinO@AWS

Posted on: Oct 19, 2010 10:20 AM

in response to: S. Moser

Hi, thanks for letting us know you're seeing a problem with IP-based policies. We're investigating.

Can you confirm that the problem you're seeing is"Access Denied" errors when you're coming from the /32 that is non-blacklisted in the policy you posted?

Re: transient failure using aws:sourceip

Posted by:

S. Moser

Posted on: Oct 19, 2010 11:11 AM

in response to: KevinO@AWS

The error I saw from s3cmd when reproducing was:
ERROR: Access to bucket '<my-bucket>-ap-southeast-1' was denied

(ap-southeast-1) was part of its name.

During my automated builds, I also saw:
Client.UnauthorizedOperation: You are not authorized to perform this operation.

I believe that is simply output from a boto exception.

Also, from another automated build, a ec2-upload-bundle command failed with:

"/tmp/publish-image.BYzSBd/<my.file>.part.05":
Server.AccessDenied(403): Access Denied
failed to upload bundle to
<my-bucket>-ap-southeast-1/<my-file>.manifest.xml

I've seen this with 2 different source IPs. I saw it originally with one, removed the policy listed above that would deny anything *not* that IP address, and then could not reproduce.

I tried on another system, modifying the policy and putting it into place for its IP address, and then also saw sporadic errors.

Re: transient failure using aws:sourceip

Posted by:

Carl@AWS

Posted on: Oct 19, 2010 11:40 AM

in response to: S. Moser

Would you be able to provide the <span style="font-size: 11pt; font-family: "Calibri","sans-serif"">x-amz-id-2 and x-amz-request-id for requests that failed and succeeded as well as the timeframe when the requests were made? With this information we can narrow the investigation into what may be causing the issue.

Thanks,

Carl

</span>

Re: transient failure using aws:sourceip

Posted by:

S. Moser

Posted on: Oct 19, 2010 12:00 PM

in response to: Carl@AWS

I can reproduce it at whim.

I dont have any of the id requests. Its easily reproducible for me, I can put the policy in place and reproduce if needed.

I had some denied coming from IP
69.14.169.66 around . From my logs when i was testing:

Tue Oct 19 11:18:00 EDT 2010: PASS
Tue Oct 19 11:18:05 EDT 2010: PASS
Tue Oct 19 11:18:08 EDT 2010: FAIL ap-southeast-1
Tue Oct 19 11:18:13 EDT 2010: FAIL ap-southeast-1
...
Tue Oct 19 11:21:17 EDT 2010: FAIL ap-southeast-1
Tue Oct 19 11:21:21 EDT 2010: PASS
Tue Oct 19 11:21:26 EDT 2010: PASS

The file I was trying to access (in all above) was s3://ubuntu-images-testing-us/ubuntu-maverick-daily-i386-server-20101016.part.16

Re: transient failure using aws:sourceip

Posted by:

Carl@AWS

Posted on: Oct 19, 2010 2:03 PM

in response to: S. Moser

This should be fixed. We identified one load balancer that was incorrectly configured. This resulted in you requests being denied because your IP was not being forwarded. Can you verify this is no longer occurring?

Thanks,
Carl

Re: transient failure using aws:sourceip

Posted by:

S. Moser

Posted on: Oct 19, 2010 6:32 PM

in response to: Carl@AWS

Well, its definitely occurring less.

I've not seen any errors with s3 operations now, but I just got an error with RegisterImage.

Tue Oct 19 21:51:09 UTC 2010: register ubuntu-images-testing-ap-southeast-1/ubuntu-lucid-daily-i386-server-20101019.1.manifest.xml
Client.UnauthorizedOperation: You are not authorized to perform this operation.
failed to register ubuntu-lucid-daily-i386-server-20101019.1.manifest.xml.

The source-ip based 'Deny' is the only Deny in the policies in effect. And there is a stanza for this user that contains 'Allow' and ec2:RegisterImage.

Additionally, I just did a quick test:

- remove source-ip policy
- ec2-register-image --region ap-southeast-1 ubuntu-images-testing-ap-southeast-1/ubuntu-lucid-daily-i386-server-20101019
is successfull
- ec2-deregister-image --region ap-southeast-1 <ami-from-previous>
is successfull
- re-add source-ip policy
- ec2-register-image --region ...
gives: Client.UnauthorizedOperation: You are not authorized to perform this operation.

I tried again after that and the operation succeeded.

I just ran a 'register - deregister' loop 10 times via ec2-register-image. some of them failed. Here are some timestamps and the output to help. Ignore the '-h' comments, that is just output of the deregister when the register failed. the last entry there is successful register and deregister.

Wed Oct 20 01:28:03 UTC 2010
Client.UnauthorizedOperation: You are not authorized to perform this operation.
FAIL
Wed Oct 20 01:28:16 UTC 2010
Required parameter 'AMI' missing (-h for usage)
Wed Oct 20 01:28:19 UTC 2010
Wed Oct 20 01:28:19 UTC 2010
Client.UnauthorizedOperation: You are not authorized to perform this operation.
FAIL
Wed Oct 20 01:28:34 UTC 2010
Required parameter 'AMI' missing (-h for usage)
Wed Oct 20 01:28:36 UTC 2010
Wed Oct 20 01:28:36 UTC 2010
IMAGE ami-860876d4
Wed Oct 20 01:28:53 UTC 2010

I need this operation to go through, so for the moment I'm dropping the source ip deny.

Re: transient failure using aws:sourceip

Posted by:

KevinO@AWS

Posted on: Oct 20, 2010 10:12 PM

in response to: S. Moser

We have done an audit of load balancer configurations that were causing your IP address not to be forwarded correctly by some AWS endpoints. You should not be seeing this error for EC2 or other services at this point. We're also adding additional monitoring to ensure that the issue does not reoccur.

Let us know if this doesn't solve your problem.

Re: transient failure using aws:sourceip

Posted by:

S. Moser

Posted on: Oct 21, 2010 6:41 AM

in response to: KevinO@AWS

I've just now put the policy back in place. I will let you know if I see issues.
Thank you for your help.

View Thread RSS Feeds

Available Actions

Reply to this Thread

Icon Legend

	Answered question
	Unanswered question with answer points still available
	Unanswered question

AWS Forums Status Icons

	Ace: 2000+ pts
	Expert: 750-1999 pts
	Guide: 300-749 pts
	Enthusiast: 50-299 pts
	Newbie: 5-49 pts
	Amazonian