Credential validity is not exposed

Bug #1822117 reported by Peter Matulis on 2019-03-28
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
juju
Medium
Unassigned

Bug Description

$ juju bootstrap --credential jlaurin aws

<< DEACTIVATE jlaurin IN AWS CONSOLE >>

$ juju add-machine

failed to create 1 machine
ERROR cannot add a new machine:
The provided credentials could not be validated and
may not be authorized to carry out the request.
Ensure that your account is authorized to use the Amazon EC2 service and
that you are using the correct access keys.
These keys are obtained via the "Security Credentials"
page in the AWS console.
: AWS was not able to validate the provided access credentials (AuthFailure)

<< WAIT A FEW MINUTES >>

The output to `show-model` suggests that all is well ("alive", "available"):

$ juju show-model default

default:
  name: admin/default
  short-name: default
  model-uuid: 36c3147d-8008-4625-893b-7b7b956e275b
  model-type: iaas
  controller-uuid: 2e6a0e8e-d4ec-4931-892f-9416508ae009
  controller-name: aws-us-east-1
  is-controller: false
  owner: admin
  cloud: aws
  region: us-east-1
  type: ec2
  life: alive
  status:
    current: available
    since: 8 minutes ago
  users:
    admin:
      display-name: admin
      access: admin
      last-connection: 3 minutes ago
  sla: unsupported
  agent-version: 2.5.3
  credential:
    name: jlaurin
    owner: admin
    cloud: aws

The output for commands `list-credentials`, `show-credential`, and `show-credentials` also do not show anything different (but at least they do not suggest that the credential is valid).

n.b. The output received by the failed `add-machine` command could also be improved. Suggestion:

ERROR cannot add a new machine:
The provided credential appears to be invalid.
Ensure that your account is authorised to use the Amazon EC2 service and
that you are using the correct access keys.

I don't think we should use text that is hardcoded to a vendor's web site ("Security Credentials" page).

Anastasia (anastasia-macmood) wrote :

We do not use text from vendor's web site - this is our own copy of the text :) It is the most generic information that is worth providing without giving too much away in case the access was actually malicious. I would be very reluctant to re-word.

I am surprised to see that we do not show credential validity. I am pretty sure it was added but maybe follow-up changes swallowed that?

Could you please provide the output for a model with an invalid credential for `list-credentials`, `show-credential`, and `show-credentials` as well as 'juju status --format yaml'.

summary: - Credential validity status is not exposed
+ Credential validity is not exposed
Peter Matulis (petermatulis) wrote :

> We do not use text from vendor's web site

What I meant was, the text describes a 3rd party website, which is beyond our control and can change at any time:

<< These keys are obtained via the "Security Credentials"
page in the AWS console. >>

> Could you please provide output...

https://paste.ubuntu.com/p/zrd97C7K46/

Tim Penhey (thumper) on 2019-04-02
tags: added: credentials ux
Changed in juju:
status: New → Triaged
importance: Undecided → Medium
Peter Matulis (petermatulis) wrote :

See bug 1822637 for extra context.

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers