topic Re: Unable to enable programmic access for CloudNGFW in Cloud NGFW for AWS Discussions

Unable to enable programmic access for CloudNGFW

DwightAwesome — Fri, 19 Aug 2022 02:07:54 GMT

https://github.com/PaloAltoNetworks/cloud-ngfw-aws-examples

using the Git Repo's get_pa_token.py I get the following error

Traceback (most recent call last):
File "C:\Users\xxxxx\cloud-ngfw-aws-examples\programmatic_access\get_pa_token.py", line 138, in <module>
assert resp_dict['ResponseStatus']['ErrorCode'] == 0
AssertionError

I can't get further to get this setup.

Re: Unable to enable programmic access for CloudNGFW

DwightAwesome — Sat, 20 Aug 2022 19:27:39 GMT

I ran the get_pa_token.py with the debug flag, and I get this:

PROG_ACC_LOGGER : [DEBUG] 2022-08-20T15:23:08.533Z ResponseText: {"ResponseStatus": {"ErrorCode": 1, "Reason": "Account is not successfully onboarded by FMS. Programmatic Access for CloudNGFWGlobalRulestackAdmin role is not supported."}} |- get_pa_token:134
Traceback (most recent call last):
File "C:\Users\Dwight\cloud-ngfw-aws-examples\programmatic_access\get_pa_token.py", line 138, in <module>
assert resp_dict['ResponseStatus']['ErrorCode'] == 0
AssertionError

Not sure where to go from here.

Re: Unable to enable programmic access for CloudNGFW

DwightAwesome — Sat, 20 Aug 2022 20:27:39 GMT

I've gotten further by specifying the cloudrulestackadmin role instead of the cloudglobalrulestackadmin in the get_pa_token.py call. But I get a 403 forbidden when I run the curl command in step 10 of https://pan.dev/cloudngfw/aws/api/

What am I missing?

Ultimately, I'm trying to push the firewall rules via terraform, but the setup in https://medium.com/palo-alto-networks-developer-blog/the-developers-guide-to-palo-alto-networks-cloud-ngfw-for-aws-b8c39c3b9228 isn't working and I get the following

│ Error: InvalidClientTokenId: The security token included in the request is invalid.
│ status code: 403, request id: e8b9428f-0ec4-48ef-a876-aaf616ad0aa1
│
│ with provider["registry.terraform.io/paloaltonetworks/cloudngfwaws"],
│ on PA-Cloud-NGFW.tf line 23, in provider "cloudngfwaws":
│ 23: provider "cloudngfwaws" {

Re: Unable to enable programmic access for CloudNGFW

gsekar — Tue, 23 Aug 2022 00:35:04 GMT

Hello @DwighAwesome,

Greetings from Palo Alto Networks!

Error “… (InvalidClientTokenId) …: The security token included in the request is invalid“
This error occurs when the user failed to pass authentication. Either the appropriate user is not active or user access keys are not valid.

Resolve authentication issues by following steps:

> ensure that the AWS keys repository variables used in the repository are valid, accurate, and contain no spaces or typos

>ensure that the corresponding user is active in the AWS console

Note: HTTP Status Code: 403 - The request must contain either a valid (registered) AWS access key ID or X.509 certificate.

Thanks and Regards,
Gopinath Sekar
Product Specialist
Palo Alto Networks
https://live.paloaltonetworks.com/t5/cloud-ngfw-discussions/bd-p/Cloud_NGFW_Discussion.
*Don’t forget to accept the solution provided!*

Re: Unable to enable programmic access for CloudNGFW

YUsachou — Wed, 22 Nov 2023 13:10:36 GMT

Hi @DwightAwesome! Were you able to solve this? Just got the same error