Wednesday, 12 April 2017

AWS NodeJS SDK: intermittent AllAccessDisabled error in S3, UnrecognizedClientException in Dynamo

Using the AWS-SDK (v 2.27.0) in NodeJS, I have a function that creates a new record in a dynamo table, and then saves two files to different folders in an S3 bucket. Both dynamo and S3 are located in eu-west-2.

Generally speaking, my function succeeds. However, roughly one in ten times I get a failure of some sort. This happens with either the dynamo (save) process, or the S3 (putItem) process.

Here are details of the errors, and the code that triggers them:

Dynamo

Error Message: Error saving: UnrecognizedClientException: No account found for the given parameters

// [...]
let params = {
  TableName: 'users',
  Item: data, //json object
  ReturnValues: 'NONE'
};

dynamo.putItem(params, function(err, res) {
  if (err) {
    console.log(err);
    deferred.reject(err);
  }
  else {
    deferred.resolve(data.data.S); // successful response
  }
});

I then tried to run the process again (without changing anything) about five minutes later, and this time the dynamo record saved correctly, without the above error. However, I then saw an error in saving to S3.

S3 Issue

Error Message: AllAccessDisabled: All access to this object has been disabled

s3.putObject({
  Key: 'public/'+id+'.pem',
  Body: pair[keyType] //string
}).promise().then(function() {
  deferred.resolve();
},
function(err) {
  console.log(err);
  deferred.reject();
});

I find it very odd that it is sometimes working and sometimes not, which makes me wonder if it is something wrong with the AWS account? I sometimes see errors "All access to this object has been disabled" when browsing my S3 bucket through the AWS dashboard as well.

Here is how I initialise AWS/S3/Dynamo

AWS.config.update({
  region: 'eu-west-2'
});
const s3 = new AWS.S3({params: {Bucket: 'universalapikeys', region: 'eu-west-2'}});
const dynamo = new AWS.DynamoDB({region: 'eu-west-2'});

The secret and key come from two env vars, AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY, and in my understanding are utilised by the aws-sdk automatically. My IAM user has AmazonS3FullAccess and AmazonDynamoDBFullAccess attached directly (amongst others).



via Josh Oldham
Posted by at
Labels: ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)