Bugs That Bite
Published in

Bugs That Bite

uploading to S3 fatal error: Parameter validation failed

Invalid bucket name when you know the bucket exists

Let’s say you get this error trying to upload to an S3 bucket to a bucket you know already exists and you’re sure the bucket name is correct. Can you spot the error?

uploading to S3fatal error: Parameter validation failed:Invalid bucket name ""yours3bucketnamehere"": Bucket name must match the regex "^[a-zA-Z0-9.\-_]{1,255}$" or be an ARN matching the regex "^arn:(aws).*:(s3|s3-object-lambda):[a-z\-0-9]*:[0-9]{12}:accesspoint[/:][a-zA-Z0-9\-.]{1,63}$|^arn:(aws).*:s3-outposts:[a-z\-0-9]+:[0-9]{12}:outpost[/:][a-zA-Z0-9\-]{1,63}[/:]accesspoint[/:][a-zA-Z0-9\-]{1,63}$"

This is related to another post where you end up with quotes around a value you’re trying to use in a concatenated string or pass into another function. It is a common occurrence for me with AWS Systems Manager Parameter store. When you retrieve the parameter it always has double quotes around it and in some cases that ends up in the value. You can’t see the quotes when you simply print out the parameter value as I explained in another post, but you can if you do something like this:

echo "'"$parameter_value"'"

Then you’ll see the quotes:

'"the_value"'

In my case, I retrieved a bucket name from parameter store and concatenated it with some other values to get the full bucket path:

bucket_repo_folder='s3://'$bucket'/repo'

If you echo the value of bucket_repo_folder you get:

s3://"bucket_name_value"/repo

You need to remove those extra double quotes before you concatenate. I do that with sed:

bucket_repo_folder='s3://'$bucket'/repo' | sed 's/"//g"

Now your bucket name is correct:

s3://bucket_name_value/repo

Packer: Unable to locate credentials. You can configure credentials by running “aws configure”.

Running AWS CLI commands on packer

I got this error on an AMI where I had IAM credentials working previously. The reason was because I moved my AMI building process to a separate account for better segregation of duties.

I was using the option iam_instance_profile and then setting the value to the name of an instance profile. I hadn’t yet set up the corresponding role profile for Packer in my new account.

This option to use a role profile with Packer appears in the documentation here:

This is an error you might get related to using this option:

Couldn't find specified instance profile: RequestError: send request failed caused by: Post "https://iam.amazonaws.com/": Proxy Authentication Required

What happened in my case is that when I came back to fix it I couldn’t immediately find the documentation for the iam_instance_profile option, but I found this option for adding an AWS IAM Role to the template. It allows you to add an external ID which is an added layer of protection with cross-account roles:

The problem with this new functionality is that it seems you have to provide an AWS access key and secret key as well as a role to use this. The whole point of using a role was to avoid having the secret key and access key hanging around.

I went back to try the IAM_INSTANCE_PROFILE option again. I figured I must be doing something wrong. At first I couldn’t get it to work, but then I realized I did not remove the external ID used with the other IAM Role option when I reverted to the IAM_INSTANCE_PROFILE option.

I took the external ID out of the trust policy (leaving the trust policy that allows an EC2 instance to assume the role) in my IAM Role and it worked.

Fix: When the external ID is missing give a more appropriate error message. The credentials are not missing, they are just misconfigured. Perhaps this is by design to not give attackers additional information but it makes it hard to troubleshoot as well.

If this helped you or you had this problem, please clap!

Teri Radichel

If you liked this story please clap and follow:

Medium: Teri Radichel or Email List: Teri Radichel
Twitter: @teriradichel or @2ndSightLab
Requests services via LinkedIn: Teri Radichel or IANS Research

© 2nd Sight Lab 2022

____________________________________________

About this blog:

Want to learn more about Cybersecurity and Cloud Security? Check out: Cybersecurity for Executives in the Age of Cloud on Amazon

Need Cloud Security Training? 2nd Sight Lab Cloud Security Training

Is your cloud secure? Hire 2nd Sight Lab for a penetration test or security assessment.

Have a Cybersecurity or Cloud Security Question? Ask Teri Radichel by scheduling a call with IANS Research.

Cybersecurity & Cloud Security Resources by Teri Radichel: Cybersecurity and Cloud security classes, articles, white papers, presentations, and podcasts

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store