Scan tag fails with The security token included in the request is invalid
Issue:
When doing scan tag for for a region that requires opt-in (region that needs enabling in AWS, ap-southeast-4 for example) and using N2WS Account with assume role, both source and target account need to have the region enabled.
Failing to do so, will result in the tag scan failing for that region. For example
Solution:
You can view list of regions the requires opt-in here: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-regions-availability-zones.html
If you have configured N2WS to scan one of this regions, make sure your AWS Admin enable the region in both source and target account.
Related Articles
FLR or Copy to S3 with Exception: could not assume role
Issues: When doing file level recovery(FLR) or copy to S3 operation in the same account, N2WS might need to assume its own role to generate a token for the worker, this could lead to the below error ERROR: ...N2WS-22672 - Tag scan fails with error "list index out of range"
Issue: Tag scan fails with the following error in cpm_scan.log log Traceback (most recent call last): File "./cpmserver/cpm/backup_tag.py", line 358, in scan_for_aws_resources File "./cpmserver/cpm/aws_utils.py", line 3100, in ...EFS - cross account tag scan may fail with Error: Invalid IAM role ARN
When adding EFS to a policy via a tag, it may fail with one of the following errors: (tag for example: efstesting+vault=n2ws+exp_opt=D+exp_opt_val=30+role_arn=arn:aws:iam::12345678:role/CPM) Critical Error - Can't update EFS to backup targets. Error: ...CPM may not retry Tag Scanning if scanning fails due to RequestLimitExceeded
If Tag scanning is triggered and fails due to RequestLimitExceeded, an alert is generated and no retry is scheduled. Please search for the below print in the server log: ERROR: scan_resources(backup_tag.py:<line_number)) Failed getting <resources> ...Permission check may fail with an error "Could not assume role"
Issue: Permission check may fail with this error message: ERROR: get_assume_role_credentials(aws_utils.py:1337) Could not assume role arn arn:<AWS account ARN:RoleName> from account <CPM Account> (<CPM user>), reason User arn:<AWS account ARN:IAM ...