Hi,
On 7/20 we upgraded from 22.1 to 22.2. We are using the Amazon S3 Utils version 1.1 and we can no longer upload to S3 after the upgrade.
This plug-in [com.appiancorp.ps.plugins.amazonS3Utils] is not registered to access secured values for the given external system key [s3prod]. Check the external systems plug-ins list in the Administration Console.
Error Occured: Error while uploading the file to Amazon S3. Error is: The security token included in the request is invalid. (Service: AWSKMS; Status Code: 400; Error Code: UnrecognizedClientException; Request ID: c1e7278c-ca73-46bd-bcf9-c510a620018a)
Thanks,
Scott
Discussion posts and replies are publicly visible
Have you had the chance to look at the std out log? Are there any more details in there? Also, was this tested and working in a lower environment after upgrade?
When tested in lower environments it continued working in our Test environment but did not continue working in Dev.
I will see if I can find anything in the std out log.
This is from the Appian support team:
2022-07-25 06:01:29,719 [ajp-nio-0.0.0.0-8009-exec-45] ERROR com.appiancorp.ps.plugins.amazonS3Utils.UploadObjectsToAmazonS3 - Error while uploading the file to Amazon S3. com.amazonaws.AmazonServiceException: The security token included in the request is invalid. (Service: AWSKMS; Status Code: 400; Error Code: UnrecognizedClientException; Request ID: cbfe99b5-a70c-4b71-b374-92b449d1293a)
Here is another log entry we have noticed.
2022-07-25 16:07:43,697 [Appian Work Item - 8327 - WorkID 811 - execution01 - process 270508345 - model 155 : UnattendedJavaActivityRequest] ERROR com.appiancorp.ps.plugins.amazonS3Utils.UploadObjectsToAmazonS3 - Error while uploading the file to Amazon S3.com.amazonaws.AmazonServiceException: User: arn:aws:iam::124294179439:user/SCP is not authorized to perform: kms:GenerateDataKey on resource: arn:aws:kms:us-east-1:124294179439:key/0484e365-406c-4413-a453-781f530957f8 with an explicit deny in an identity-based policy (Service: AWSKMS; Status Code: 400; Error Code: AccessDeniedException; Request ID: 62e8514c-07a3-4602-b69d-af6243236224) at com.amazonaws.http.AmazonHttpClient.handleErrorResponse(AmazonHttpClient.java:1275) at com.amazonaws.http.AmazonHttpClient.executeOneRequest(AmazonHttpClient.java:873)
Looking at these errors, I do not think this is a plugin issue due to an upgrade. The second error easily points to a permissions set up on S3 - you need to check the authorization for account SCP. The first one is a bit more tricky but also likely due to an account issue, it could be that the key expired, or maybe even the account itself. That's where I would check first.
Thanks Mike. We are starting to look at other places that might be causing the issue.
Also, check the box in the admin console to ensure the plugin has access to the credentials that are specified. While unlikely, it's possible the upgrade removed that permission.
It is not checked. encountering same issue though i checked the box and gave a try
Yeah, check all the permissions on the account and its validity. I would also check any other policies that may restrict access to S3, like allow-lists on IP addresses, etc.
Thanks Mike. We are back up running again. There were more IPs that needed to be added to the Whitelist on the S3.