STS: AssumeRoleWithWebIdentity api error NoSuchVersion about aws-sdk-go-v2 HOT 7 CLOSED

Hi @dmcnaught ,

Before we dive into this, can you please update your dependencies? you are using sqs v1.24.5 which and we are on v1.29.7. This might be due to the migration of SQS to a new JSON based protocol.

Let me know how it goes.

Thanks,
Ran~

from aws-sdk-go-v2.

Hi @RanVaknin,

Thank you for getting back to us. Your response pointed me to the culprit:

u, err := url.Parse(queueURL)
if err != nil {
	log.Fatal().Str("queue_url", queueURL).Msg("failed to parse consumer url")
}

awsConf, err := awsConfig.LoadDefaultConfig(
	context.TODO(),
	awsConfig.WithRegion(config.AWS.Region), // replace with config var
	awsConfig.WithLogger(logger.AwsLogger{}),
	awsConfig.WithClientLogMode(aws.LogRequestWithBody|aws.LogResponseWithBody),
	awsConfig.WithEndpointResolverWithOptions(aws.EndpointResolverWithOptionsFunc(
		func(service, region string, options ...interface{}) (aws.Endpoint, error) {
			return aws.Endpoint{URL: u.Scheme + "://" + u.Host}, nil
		}),
	),
)

I removed the WithEndpointResolverWithOptions argument and no errors. We appreciate the help!

from aws-sdk-go-v2.

Thanks for your response @RanVaknin
We ran the test with the updated libraries and got the same error.

        github.com/aws/aws-sdk-go-v2 v1.24.1
	github.com/aws/aws-sdk-go-v2/config v1.18.21
	github.com/aws/aws-sdk-go-v2/feature/rds/auth v1.2.19
	github.com/aws/aws-sdk-go-v2/service/sqs v1.29.7
        github.com/aws/aws-sdk-go-v2/credentials v1.13.20 // indirect
	github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.13.2 // indirect
	github.com/aws/aws-sdk-go-v2/internal/configsources v1.2.10 // indirect
	github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.5.10 // indirect
	github.com/aws/aws-sdk-go-v2/internal/ini v1.3.34 // indirect
	github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.9.26 // indirect
	github.com/aws/aws-sdk-go-v2/service/sso v1.12.8 // indirect
	github.com/aws/aws-sdk-go-v2/service/ssooidc v1.14.8 // indirect
	github.com/aws/aws-sdk-go-v2/service/sts v1.18.9 // indirect

Error:

{"level":"error","error":"operation error SQS: ReceiveMessage, get identity: get credentials: failed to refresh cached > credentials, failed to retrieve credentials, operation error STS: AssumeRoleWithWebIdentity, https response error
StatusCode: 400, RequestID: , api error NoSuchVersion: The requested version ( 2011-06-15 ) is not
valid.","worker_id":2,"time":1706150016,"message":"Error while calling SQS ReceiveMessage"}

from aws-sdk-go-v2.

Hi @dmcnaught ,

Thanks for confirming the versions. The error stack is raising error from the entire credential chain, specifying that no credential provider in the chain was able to resolve credentials. It might have to do with the way your application is setup with IRSA.

Can you please provide your client logs? You can enable the logger by doing the following:

	cfg, err := config.LoadDefaultConfig(context.TODO(), config.WithRegion("us-east-1"), config.WithClientLogMode(aws.LogRequestWithBody| aws.LogResponseWithBody))
	if err != nil {
		log.Fatalf("unable to load SDK config, %v", err)
	}

This will show us the implicit requests and responses the SDK does "under-the-hood" for resolving credentials and might point us to other clues.

Thanks again,
Ran~

from aws-sdk-go-v2.

{“level”:“debug”,“worker_id”:0,“time”:1706209344,“message”:“worker polling for messages”}
{“level”:“debug”,“source”:“aws”,“time”:1706209344,“message”:“Request\nPOST / HTTP/1.1\r\nHost: [sqs.us-east-1.amazonaws.com](http://sqs.us-east-1.amazonaws.com/)\r\nUser-Agent: aws-sdk-go-v2/1.24.1 os/linux lang/go#1.21.6 md/GOOS#linux md/GOARCH#amd64 api/sts#1.26.7\r\nContent-Length: 1168\r\nAmz-Sdk-Invocation-Id: f026f66e-60b6-4c38-ad52-bf29137bc772\r\nAmz-Sdk-Request: attempt=1; max=3\r\nContent-Type: application/x-www-form-urlencoded\r\nAccept-Encoding: gzip\r\n\r\nAction=AssumeRoleWithWebIdentity&RoleArn=arn%3Aaws%3Aiam%3A%3A243423067772%3Arole%2Fqa6-billing&RoleSessionName=1706209344274114123&Version=2011-06-15&WebIdentityToken=<token>”}
{“level”:“debug”,“source”:“aws”,“time”:1706209344,“message”:“Response\nHTTP/1.1 400 Bad Request\r\nContent-Length: 300\r\nConnection: keep-alive\r\nContent-Type: text/xml\r\nDate: Thu, 25 Jan 2024 19:02:24 GMT\r\nX-Amzn-Requestid: 3b421a4f-04bd-51f2-ab07-4463b63d9df6\r\n\r\n<?xml version=\“1.0\“?><ErrorResponse xmlns=\“http://queue.amazonaws.com/doc/2011-06-15/\“><Error><Type>Sender</Type><Code>NoSuchVersion</Code><Message>The requested version ( 2011-06-15 ) is not valid.</Message><Detail/></Error><RequestId>3b421a4f-04bd-51f2-ab07-4463b63d9df6</RequestId></ErrorResponse>“}
{“level”:“error”,“error”:“operation error SQS: ReceiveMessage, get identity: get credentials: failed to refresh cached credentials, failed to retrieve credentials, operation error STS: AssumeRoleWithWebIdentity, https response error StatusCode: 400, RequestID: 3b421a4f-04bd-51f2-ab07-4463b63d9df6, api error NoSuchVersion: The requested version ( 2011-06-15 ) is not valid.“,”worker_id”:0,“time”:1706209344,“message”:“Error while calling SQS ReceiveMessage”}

from aws-sdk-go-v2.

Hi @dmcnaught ,

Thanks for providing those logs. I see why you are getting this error. The AssumeRoleWithWebIdentity is being made to SQS, and not STS. SQS does not have an API version 2011-06-15 therefore it returns this error.

Are you calling this AssumeRole explicitly?

Can you please add your complete code snippet so I can rule out a configuration issue? (please add everything you can; imports, client initialization code, API call, etc)

Thanks again,
Ran~

from aws-sdk-go-v2.

This issue is now closed. Comments on closed issues are hard for our team to see.
If you need more assistance, please open a new issue that references this one.

from aws-sdk-go-v2.