Enabling repository-s3 plugin to backup ES snapshots to S3

rajsuper2021 · October 26, 2021, 6:30am

I am running Elasticsearch on EKS, I have enabled the repository-s3 plugin via efk Elasticsearch resource.

I am seeing this in the efk logs though:


{"type": "server", "timestamp": "2021-10-26T06:13:18,861Z", "level": "WARN", "component": "c.a.s.s.i.UseArnRegionResolver", "cluster.name": "efk", "node.name": "efk-es-logging-cluster", "message": "Unable to load config file null", "cluster.uuid": "xxxxxxxx", "node.id": "xxxxxxxx" ,

"stacktrace": ["java.security.AccessControlException: access denied (\"java.io.FilePermission\" \"/usr/share/elasticsearch/.aws/config\" \"read\")",

"at java.security.AccessControlContext.checkPermission(AccessControlContext.java:472) ~[?:?]",

"at java.security.AccessController.checkPermission(AccessController.java:1036) ~[?:?]",

"at java.lang.SecurityManager.checkPermission(SecurityManager.java:408) ~[?:?]",

"at java.lang.SecurityManager.checkRead(SecurityManager.java:747) ~[?:?]",

"at java.io.File.exists(File.java:818) ~[?:?]",

"at com.amazonaws.profile.path.config.SharedConfigDefaultLocationProvider.getLocation(SharedConfigDefaultLocationProvider.java:36) ~[aws-java-sdk-core-1.11.749.jar:?]",

"at com.amazonaws.profile.path.AwsProfileFileLocationProviderChain.getLocation(AwsProfileFileLocationProviderChain.java:41) ~[aws-java-sdk-core-1.11.749.jar:?]",

"at com.amazonaws.services.s3.internal.UseArnRegionResolver.getProfilesConfigFile(UseArnRegionResolver.java:110) [aws-java-sdk-s3-1.11.749.jar:?]",

"at com.amazonaws.services.s3.internal.UseArnRegionResolver.getProfile(UseArnRegionResolver.java:96) [aws-java-sdk-s3-1.11.749.jar:?]",

"at com.amazonaws.services.s3.internal.UseArnRegionResolver.profile(UseArnRegionResolver.java:76) [aws-java-sdk-s3-1.11.749.jar:?]",

"at com.amazonaws.services.s3.internal.UseArnRegionResolver.resolveUseArnRegion(UseArnRegionResolver.java:64) [aws-java-sdk-s3-1.11.749.jar:?]",

"at com.amazonaws.services.s3.internal.UseArnRegionResolver.<init>(UseArnRegionResolver.java:53) [aws-java-sdk-s3-1.11.749.jar:?]",

"at com.amazonaws.services.s3.internal.UseArnRegionResolver.<init>(UseArnRegionResolver.java:48) [aws-java-sdk-s3-1.11.749.jar:?]",

"at com.amazonaws.services.s3.AmazonS3Client.<clinit>(AmazonS3Client.java:435) [aws-java-sdk-s3-1.11.749.jar:?]",

"at com.amazonaws.services.s3.AmazonS3Builder$1.apply(AmazonS3Builder.java:35) [aws-java-sdk-s3-1.11.749.jar:?]",

"at com.amazonaws.services.s3.AmazonS3Builder$1.apply(AmazonS3Builder.java:32) [aws-java-sdk-s3-1.11.749.jar:?]",

"at com.amazonaws.services.s3.AmazonS3ClientBuilder.build(AmazonS3ClientBuilder.java:64) [aws-java-sdk-s3-1.11.749.jar:?]",

"at com.amazonaws.services.s3.AmazonS3ClientBuilder.build(AmazonS3ClientBuilder.java:28) [aws-java-sdk-s3-1.11.749.jar:?]",

"at com.amazonaws.client.builder.AwsSyncClientBuilder.build(AwsSyncClientBuilder.java:46) [aws-java-sdk-core-1.11.749.jar:?]",

"at java.security.AccessController.doPrivileged(AccessController.java:312) [?:?]",

"at org.elasticsearch.repositories.s3.SocketAccess.doPrivileged(SocketAccess.java:42) [repository-s3-7.9.2.jar:7.9.2]",

"at org.elasticsearch.repositories.s3.S3Service.buildClient(S3Service.java:164) [repository-s3-7.9.2.jar:7.9.2]",

"at org.elasticsearch.repositories.s3.S3Service.client(S3Service.java:96) [repository-s3-7.9.2.jar:7.9.2]",

"at org.elasticsearch.repositories.s3.S3BlobStore.clientReference(S3BlobStore.java:125) [repository-s3-7.9.2.jar:7.9.2]",

"at org.elasticsearch.repositories.s3.S3BlobContainer.executeSingleUpload(S3BlobContainer.java:355) [repository-s3-7.9.2.jar:7.9.2]",

"at org.elasticsearch.repositories.s3.S3BlobContainer.lambda$writeBlob$1(S3BlobContainer.java:131) [repository-s3-7.9.2.jar:7.9.2]",

"at java.security.AccessController.doPrivileged(AccessController.java:554) [?:?]",

"at org.elasticsearch.repositories.s3.SocketAccess.doPrivilegedIOException(SocketAccess.java:48) [repository-s3-7.9.2.jar:7.9.2]",

"at org.elasticsearch.repositories.s3.S3BlobContainer.writeBlob(S3BlobContainer.java:129) [repository-s3-7.9.2.jar:7.9.2]",

"at org.elasticsearch.repositories.blobstore.BlobStoreRepository.verify(BlobStoreRepository.java:2164) [elasticsearch-7.9.2.jar:7.9.2]",

"at org.elasticsearch.repositories.VerifyNodeRepositoryAction.doVerify(VerifyNodeRepositoryAction.java:128) [elasticsearch-7.9.2.jar:7.9.2]",

"at org.elasticsearch.repositories.VerifyNodeRepositoryAction.access$400(VerifyNodeRepositoryAction.java:49) [elasticsearch-7.9.2.jar:7.9.2]",

"at org.elasticsearch.repositories.VerifyNodeRepositoryAction$VerifyNodeRepositoryRequestHandler.messageReceived(VerifyNodeRepositoryAction.java:160) [elasticsearch-7.9.2.jar:7.9.2]",

"at org.elasticsearch.repositories.VerifyNodeRepositoryAction$VerifyNodeRepositoryRequestHandler.messageReceived(VerifyNodeRepositoryAction.java:155) [elasticsearch-7.9.2.jar:7.9.2]",

"at org.elasticsearch.xpack.security.transport.SecurityServerTransportInterceptor$ProfileSecuredRequestHandler$1.doRun(SecurityServerTransportInterceptor.java:257) [x-pack-security-7.9.2.jar:7.9.2]",

"at org.elasticsearch.common.util.concurrent.AbstractRunnable.run(AbstractRunnable.java:37) [elasticsearch-7.9.2.jar:7.9.2]",

"at org.elasticsearch.common.util.concurrent.EsExecutors$DirectExecutorService.execute(EsExecutors.java:226) [elasticsearch-7.9.2.jar:7.9.2]",

"at org.elasticsearch.xpack.security.transport.SecurityServerTransportInterceptor$ProfileSecuredRequestHandler.lambda$messageReceived$0(SecurityServerTransportInterceptor.java:306) [x-pack-security-7.9.2.jar:7.9.2]",

"at org.elasticsearch.action.ActionListener$1.onResponse(ActionListener.java:63) [elasticsearch-7.9.2.jar:7.9.2]",

"at org.elasticsearch.xpack.security.authz.AuthorizationService.authorizeSystemUser(AuthorizationService.java:401) [x-pack-security-7.9.2.jar:7.9.2]",

"at org.elasticsearch.xpack.security.authz.AuthorizationService.authorize(AuthorizationService.java:205) [x-pack-security-7.9.2.jar:7.9.2]",

"at org.elasticsearch.xpack.security.transport.ServerTransportFilter$NodeProfile.lambda$inbound$1(ServerTransportFilter.java:129) [x-pack-security-7.9.2.jar:7.9.2]",

"at org.elasticsearch.action.ActionListener$1.onResponse(ActionListener.java:63) [elasticsearch-7.9.2.jar:7.9.2]",

"at org.elasticsearch.xpack.security.authc.AuthenticationService$Authenticator.lambda$authenticateAsync$2(AuthenticationService.java:323) [x-pack-security-7.9.2.jar:7.9.2]",

"at org.elasticsearch.xpack.security.authc.AuthenticationService$Authenticator.lambda$lookForExistingAuthentication$6(AuthenticationService.java:384) [x-pack-security-7.9.2.jar:7.9.2]",

"at org.elasticsearch.xpack.security.authc.AuthenticationService$Authenticator.lookForExistingAuthentication(AuthenticationService.java:395) [x-pack-security-7.9.2.jar:7.9.2]",

"at org.elasticsearch.xpack.security.authc.AuthenticationService$Authenticator.authenticateAsync(AuthenticationService.java:320) [x-pack-security-7.9.2.jar:7.9.2]",

"at org.elasticsearch.xpack.security.authc.AuthenticationService$Authenticator.access$000(AuthenticationService.java:261) [x-pack-security-7.9.2.jar:7.9.2]",

"at org.elasticsearch.xpack.security.authc.AuthenticationService.authenticate(AuthenticationService.java:173) [x-pack-security-7.9.2.jar:7.9.2]",

"at org.elasticsearch.xpack.security.transport.ServerTransportFilter$NodeProfile.inbound(ServerTransportFilter.java:120) [x-pack-security-7.9.2.jar:7.9.2]",

"at org.elasticsearch.xpack.security.transport.SecurityServerTransportInterceptor$ProfileSecuredRequestHandler.messageReceived(SecurityServerTransportInterceptor.java:313) [x-pack-security-7.9.2.jar:7.9.2]",

"at org.elasticsearch.transport.RequestHandlerRegistry.processMessageReceived(RequestHandlerRegistry.java:72) [elasticsearch-7.9.2.jar:7.9.2]",

"at org.elasticsearch.transport.InboundHandler$RequestHandler.doRun(InboundHandler.java:263) [elasticsearch-7.9.2.jar:7.9.2]",

"at org.elasticsearch.common.util.concurrent.ThreadContext$ContextPreservingAbstractRunnable.doRun(ThreadContext.java:737) [elasticsearch-7.9.2.jar:7.9.2]",

"at org.elasticsearch.common.util.concurrent.AbstractRunnable.run(AbstractRunnable.java:37) [elasticsearch-7.9.2.jar:7.9.2]",

"at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1130) [?:?]",

"at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:630) [?:?]",

"at java.lang.Thread.run(Thread.java:832) [?:?]"] }

is this a known issue? something to worry about?

warkolm · October 26, 2021, 8:14am

What is the permissions on that file?

rajsuper2021 · October 26, 2021, 4:20pm

warkolm:

What is the permissions on that file?

The file "~/.aws/config" doesn't exist on the elasticsearch pod

system · November 23, 2021, 4:21pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.