Fixing aws-maven Issue with “Access Denied”

Posted by & filed under , .

maventxt_logo_200I’ve been using the aws-maven plugin for a while now to deploy Maven artifacts to S3. Typically I’ll use the Maven Archiver plugin to package the projects in some sort of tarball then use aws-maven to upload this to S3. From there on regardless of the deployment tools I use on our production servers I can simply use some script to download the tarball and unpackage it on the server — and maybe even run some (packaged) scripts — to install the software in production.

And also typically in this scenario I’ll use the archiver and aws-maven in the context of the Maven Release plugin — so after all tests have passed and I’m ready to release a version I simply use mvn release:prepare and mvn release:perform — this packages the software (via Maven Archiver) and then copies the tarball to S3 (via aws-maven).

And having set this up life got easy in terms of the release cycle — until recently I’ve encountered this error when doing mvn release:perform: Access Denied!

I’ve thought for a second perhaps I’ve typed something wrong in my pom.xml or in the Maven settings.xml — but having checked again all was ok and as such I couldn’t blame this on misconfiguration. Even more so, I’ve checked the access and secret key used in settings.xml and they work perfectly fine with s3cmd — so it wasn’t a matter of the actual credentials being wrong either. After a lot of digging around it turned out to be a small entry in settings.xml that did it — and I’m going to reveal it in this post.

Here’s the standard setup for aws-maven in pom.xml (I’m only including the relevant parts):

...
    <distributionManagement>
        <repository>
            <id>aws-release</id>
            <name>AWS Release Repository</name>
            <url>s3://bucket-name/release</url>
        </repository>
        <snapshotRepository>
            <id>aws-snapshot</id>
            <name>AWS Snapshot Repository</name>
            <url>s3://bucket-name/snapshot</url>
        </snapshotRepository>
    </distributionManagement>
...
    <repositories>
        <repository>
            <id>aws-release</id>
            <name>AWS Release Repository</name>
            <url>s3://bucket-name/release</url>
        </repository>
        <repository>
            <id>aws-snapshot</id>
            <name>AWS Snapshot Repository</name>
            <url>s3://bucket-name/snapshot</url>
        </repository>
        ...
    </repositories>
...
    <build>
        <extensions>
            <extension>
                <groupId>org.springframework.build</groupId>
                <artifactId>aws-maven</artifactId>
                <version>4.8.0.RELEASE</version>
            </extension>
            ...    
        </extensions>
...
 ...

As you can see in the above configuration we’re defining 2 repositories — one for snapshots, one for “proper” releases — both of them inside the same S3 bucket (bucket-name). We set our distribution management to use these 2 repos and reference the aws-maven plugin in the <build> section.

Then to define the credentials used for accessing the S3 bucket, simply define the same repository entries in settings.xml :

...
<servers>
      <!-- For AWS use access key in username and secrete key in passphrase -->
        <server>
            <id>aws-release</id>
            <username>aws access key</username>
            <passphrase>aws secret key</passphrase>
        </server>
        <server>
            <id>aws-snapshot</id>
            <username>aws access key</username>
            <passphrase>aws secret key</passphrase>
        </server>
...
 
</servers>
...

As per aws-maven docco, simply specify the AWS access key in <username> and AWS secret key in <passphrase> and make sure you use the same repository names in here as in the pom.xml and this should do it. And as I said this worked until recently…

Sadly, I haven’t tracked down at which point we changed the version of the aws-maven plugin so not entirely sure which version introduced this issue, but I’m using 4.8.0.RELEASE and this is exhibiting the issue I’ve mentioned. So chances are it applies to all versions from 4.8.0.RELEASE onwards.

The issue is that this plugin started reporting “Access Denied [Help 1]” — and inspecting the configuration this wasn’t due to misconfiguration or wrong key/access. Also it wasn’t due to any wrong packaging or release — simply issuing mvn deploy renders the same issue.

It turns out to fix this I need an extra element defined in each <server> element in settings.xml: <privateKey> ! I had to reconfigure my settings.xml as follows:

...
<servers>
      <!-- For AWS use access key in username and secrete key in passphrase -->
        <server>
            <id>aws-release</id>
            <username>aws access key</username>
            <privateKey>${user.home}/.ssh/id_rsa</privateKey>
            <passphrase>aws secret key</passphrase>
        </server>
        <server>
            <id>aws-snapshot</id>
            <username>aws access key</username>
            <privateKey>${user.home}/.ssh/id_rsa</privateKey>
            <passphrase>aws secret key</passphrase>
        </server>
...
 
</servers>
...

The entry is a dummy one — the RSA private key actually exists in my case but it’s not used at all for Amazon/EC2/S3 access, however it seems without it the plugin fails and it displays some standard error, hence “Access Denied” 🙁

So if you encounter the same issue with your aws-maven just add the above entry in each of your S3 repos managed through it and re-run it — this seems to do it!

5 Responses to “Fixing aws-maven Issue with “Access Denied””

  1. Bob

    Thank you, thank you, thank you!

  2. ofreshy

    Woohoo , it worked ! Well, at least it managed to access ceres 🙂

  3. Liv

    Wow, I never thought this to be such a widespread issue for once.
    Secondly, Offer, you’re telling me that Magnetic is still running the old Cognitive Match CERES system? Man! 🙂

  4. David

    How did you generated private key for s3? i’m using Mac and don’t know to do it.

  5. Liv

    @David: you download the keys generated by Amazon for you from the AWS console.

Leave a Reply

Your email address will not be published.