and more in a single search tool across platforms. Read the announcement here. |
01/17/2023 08:50 AM - edited 01/17/2023 08:51 AM
Hello,
I am trying to connect to my AWS instance using the Account ID under AWS connection type. However, I am getting an error on Saving this connection.
I have created a stack in AWS using the guide AWS Connector Guide : Customer Portal (freshdesk.com)
With ExternalId and MasterAccID as parameters.
The template that I used while creating the stack is :
https://s3.amazonaws.com/saviyntcftemplates/DeploymentTemplates/Saviynt_CFT_Analyzer_IGA_DC.json
How do I ensure the AWS setting is in consistiency with connection details?
I am testing this connection using postman and on using /getConnections call I am getting a Successful message.
On testing it with testConnection I am getting this message of 405-Not Allowed
Can someone help me to understand what could have gone wrong here. Do I need to add any specific role in Saviynt corresponding to the one defined in AWS? Or something else.
Thanks in advance.
Regards.
01/17/2023 09:25 PM
Share connection config Screenshot
01/17/2023 09:46 PM
01/17/2023 09:52 PM
What is error in logs
01/17/2023 10:11 PM
This is the error from Application Logs, but not able to figure it out what is actually going wrong, at which place?
01/18/2023 04:35 AM
You don’t have access to pull information from AWS hence ask application team to provide required permissions
01/18/2023 05:53 AM - edited 01/18/2023 06:08 AM
Is there a document to follow on what kind of access do we need to read the resources on AWS?
AWS Connector Guide : Customer Portal (freshdesk.com) doesn't suggest anything relevant.
01/18/2023 08:03 AM
https://docs.saviyntcloud.com/bundle/AWS-v2020x/page/Content/Preparing-for-Integration.htm
01/20/2023 07:41 AM - edited 01/20/2023 07:43 AM
Thanks Rushikesh,
However, the above mentioned document doesn't help much. Its almost same that I referred while creating stack and all configurations.
While I was able to Test the connection using postman call using GetUser API, I still read this to be an error on Saviynt connecting to AWS using AWS Connector. Which means if I can make a successful call via postman, the policies/roles/permission on AWS works fine.
Also, I tried it via REST connector using AWS details in connectionJSON, but doesnt help as I am still not sure about the auth API url for AWS.
01/20/2023 12:00 PM
Does postman working ?
01/22/2023 08:09 PM
Yes, postman calls are working very much fine. And I assume, we dont need any additional permission on AWS for this. I am using AWS signature to carry AccessKey and SecretKey as well.
01/23/2023 08:39 AM
share logs of saviynt
01/25/2023 12:55 AM
What should be the AWS_Account_ID here, the account ID from AWS(Target System) or the Account ID of AWS on which Saviynt is hosted? Also, should I use this same Account_ID in AWS while creating the stack ?
Also, How do I find the AWS_STACK_ROLE_NAME is not mentioned in the documentation.
01/25/2023 04:43 AM
Target. Connection always contains target system information here its should be AWS information
01/25/2023 06:00 AM
I am testing the connection on AWS from postman and it gives me 200 OK (assuming the stack got created correctly)
However, the connection in Saviynt still giving an error saying :
{"log":"2023-01-25 13:37:44,184 [http-nio-8080-exec-6] DEBUG println.PrintlnToLogger - Println :: \u001b[1;31m| Error \u001b[22;39mcom.amazonaws.services.securitytoken.model.AWSSecurityTokenServiceException: User: arn:aws:sts::533811351211:assumed-role/eynordic-partner-eks-workernode-role/i-04bd8ebe995d6dde1 is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::3**********9:role/stack-saviynt-aws-trust-SaviyntAWSRole-1W******1*Q*X (Service: AWSSecurityTokenService; Status Code: 403; Error Code: AccessDenied; Request ID: a65a75cd-6bf6-44b8-be4b-800d189803a7)\u001b[m\n","stream":"stdout","time":"2023-01-25T13:37:44.184247485Z"}
Which user it is referring to ?
01/25/2023 06:02 AM
You missed/ not formatted some connection parameters in EIC
01/25/2023 06:19 AM
I dont see any attribute for connection parameters for AWS connection type. The 6 mandatory attributes are filled in:
Connection Name
Connection Type - AWS
AWS_ACCOUNT_ID * - Master Account ID for AWS (Target Application)
CROSS_ACCOUNT_ROLE_ARN - Obtained after creating stack on AWS (tested connection on postman, works fine)
PULL_GOV_REGION_ONLY - No (as suggested)
EXTERNAL_ID - Same as defined in AWS
And I get the same error.