Bigfix v10 web UI Cloud Plugin

When pushing the fixlet “Install BigFix Plugin for AWS Discovery - version 1.1.59”, the prefetch fails. I confirmed that in my web browser, the downloads returns a 404.

AWSAssetDiscoveryPlugin.1.1.59.inspectors
Failed
[-]
[+] Download error: "Unexpected HTTP response: 404 Not Found"
Download requested on server:
URL: http://software.bigfix.com/download/bes/100/AWSAssetDiscoveryPlugin.1.1.59.inspectors
Hash: (sha1)faa3ac910c49fcf28834fdc0b42b65d975c10ca2
Size:
Next retry: 6 minutes. Retry now

AWSAssetDiscoveryPlugin.1.1.59.dll
Failed
[-]
[+] Download error: "Unexpected HTTP response: 404 Not Found"
Download requested on server:
URL: http://software.bigfix.com/download/bes/100/AWSAssetDiscoveryPlugin.1.1.59.dll
Hash: (sha1)efd36542e23a8569e285459f57ce23bcef4f5c56
Size:
Next retry: 6 minutes. Retry now

AWSAssetDiscoveryPlugin.1.1.59.inspectors
Failed
[-]
[+] Download error: "Unexpected HTTP response: 404 Not Found"
Download requested on server:
URL: http://software.bigfix.com/download/bes/100/AWSAssetDiscoveryPlugin.1.1.59.inspectors
Hash: (sha1)faa3ac910c49fcf28834fdc0b42b65d975c10ca2
Size:
Next retry: 6 minutes. Retry now

AWSAssetDiscoveryPlugin.1.1.59.so
Failed
[-]
[+] Download error: "Unexpected HTTP response: 404 Not Found"
Download requested on server:
URL: http://software.bigfix.com/download/bes/100/AWSAssetDiscoveryPlugin.1.1.59.so
Hash: (sha1)bbae9b3c2d0c4c9e5b413bf2d182e3f936df6492
Size:
Next retry: 6 minutes. Retry now

1 Like

seems to be working now. Thanks for fixing it.

1 Like

Yes, there was a temporary issue with those files on our servers, but it’s fixed now. Sorry for the inconvenience.

3 Likes

Is there documentation as to what permissions are needed within AWS for the discovery to occur? WIth the aws cli i am able to describe-instances but when I use the same credentials in the AWS plugin, I get auth errors:

2020/04/02 18:45:01 - [debug] Getting all available regions
2020/04/02 18:45:03 - [error] Got error calling DescribeRegions:  AuthFailure: AWS was not able to validate the provided access credentials
	status code: 401, request id: xxxxx
2020/04/02 18:45:03 - [debug] AWS Full Discovery for 'xxxx' GetAvailableRegions failed with error: AuthFailure: AWS was not able to validate the provided access credentials
	status code: 401, request id: xxxx
2020/04/02 18:45:03 - [error] Refresh all: Error occurred while scanning provider with credentials set 'xxxx': AuthFailure: AWS was not able to validate the provided access credentials
	status code: 401, request id: xxxx
2020/04/02 18:45:03 - [error] Refresh all: user with label 'xxxx' failed to create a valid login session, skipping

Minimum permission would be allowing action ec2:Describe* on resource *

As you’re able to describe instances using AWS CLI, you should already have minimum permission, so in this case the 401 error might be due to the clock of the computer where the AWS plugin is installed being not precise (tolerance is +/- 5 minutes from the exact time).

Here’s an AWS page where this circumstance is described (look at the first Note).

I’ll review BigFix 10 documentation and have this information included if still missing.

clock seems right on the endpoint running the plugin

Current time is 04/02/2020 20:56:19.11

Is Timezone/GMT-offset consistent with time?

If so, then it could be a question of permissions. Is the user allowed action ec2:Describe* on resource * ?

Timezone seems right. I’ll look into the permissions.
Is there a way to force a discovery rather than waiting the defined interval time?

But also based on the error, it says “GetAvailableRegions failed”. Is that a different AWS permissions?
2020/04/02 21:45:02 - [debug] AWS Full Discovery for ‘xxxxx’ GetAvailableRegions failed with error: AuthFailure: AWS was not able to validate the provided access credentials

In order to force the discovery, you may recycle the BES Plugin Portal service as first discovery happens right after starting.

AWS plugin needs ec2:Describe* permissions, which includes ec2:DescribeRegions, so if your user has that you shouldn’t be getting that error on GetAvailableRegions.

If you want to take advantage of a predefined AWS policy, AmazonEC2ReadOnlyAccess has everything the AWS plugin needs (and slightly more).

I looked at my IAM role and it does have ReadOnly policy with EC2 listed. I created HCL CS0106188 to investigate.

I think my issue is that just to test, I was using my IAM role that uses a session token, but the Cloud plugin doesn’t allow for token. So I need to get credential that don’t require a session token.

Correct, the AWS plugin won’t support the temporary security credentials + security (session) token generated when assuming an IAM role.

AWS plugin must be configured with an Access key ID / Secret access key pair associated to an IAM user.

I will make sure this is properly explained in BigFix 10 documentation.

Why does the BES property “BES Client Version” show “10.0.0.133” from a Cloud Plugin instance in Amazon when there is no bigfix agent installed?

1 Like

In case of a proxied computer that version is the version of the Plugin Portal that is handling the computer. This behavior has been inherited from the Proxy Agent.

The reason behind this design choice is that the Plugin Portal (or the Proxy Agent) processes relevance expressions on behalf of the proxied computers, and so its version tells about the relevance capabilities of the proxied computers.

thanks for the info.

@aginestr an you provide which permissions are needed for Azure too?

The Azure service principal must be assigned the “API Management Service Reader Role”.
UPDATE: The Azure service principal must be assigned the built-in “Reader” role.

Thanks. Please add this to the documenation.

The AWS Cloud Plugin has an Advanced Setting of Proxy URL, but I don’t see that in the Azure Cloud Plugin settings. Was that just missed or is there a reason why the Azure plugin doesn’t allow to use a proxy?

It is possible to have the Azure plugin go through a proxy, but it works differently from AWS. Below information is going to be part of the official BigFix 10 documentation shortly:

How to configure a proxy for Microsoft Azure plugin
In order to have the Microsoft Azure plugin go through a proxy, it is necessary to configure the proxy at system level using the http_proxy and https_proxy environment variables.

1 Like

Based on this error do you think this is a proxy issue?

2020/04/14 19:39:16 - [debug] Getting Resource Groups
2020/04/14 19:48:46 - [debug] Azure Full Discovery for 'xxxxx' failed getting Resource Groups with error: azure.BearerAuthorizer#WithAuthorization: Failed to refresh the Token for request to https://management.azure.com/subscriptions/xxxxx/resourcegroups?api-version=2019-05-01: StatusCode=0 -- Original Error: adal: Failed to execute the refresh request. Error = 'Post https://login.microsoftonline.com/xxxxx/oauth2/token?api-version=1.0: dial tcp 40.126.0.69:443: i/o timeout'
2020/04/14 19:48:46 - [error] Refresh all: Error occurred while scanning provider with credentials set 'xxxxx': azure.BearerAuthorizer#WithAuthorization: Failed to refresh the Token for request to https://management.azure.com/subscriptions/xxxxx/resourcegroups?api-version=2019-05-01: StatusCode=0 -- Original Error: adal: Failed to execute the refresh request. Error = 'Post https://login.microsoftonline.com/xxxxx/oauth2/token?api-version=1.0: dial tcp 40.126.0.69:443: i/o timeout'
2020/04/14 19:48:46 - [info] Refresh all: Discovery returned 0 unique devices