Unable to enable programmic access for CloudNGFW

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Unable to enable programmic access for CloudNGFW

L1 Bithead

https://pan.dev/cloudngfw/aws/api/

https://github.com/PaloAltoNetworks/cloud-ngfw-aws-examples

 using the Git Repo's get_pa_token.py I get the following error

 

Traceback (most recent call last):
File "C:\Users\xxxxx\cloud-ngfw-aws-examples\programmatic_access\get_pa_token.py", line 138, in <module>
assert resp_dict['ResponseStatus']['ErrorCode'] == 0
AssertionError

 

I can't get further to get this setup.

4 REPLIES 4

L1 Bithead

I ran the get_pa_token.py with the debug flag, and I get this:

 

PROG_ACC_LOGGER : [DEBUG] 2022-08-20T15:23:08.533Z ResponseText: {"ResponseStatus": {"ErrorCode": 1, "Reason": "Account is not successfully onboarded by FMS. Programmatic Access for CloudNGFWGlobalRulestackAdmin role is not supported."}} |- get_pa_token:134
Traceback (most recent call last):
File "C:\Users\Dwight\cloud-ngfw-aws-examples\programmatic_access\get_pa_token.py", line 138, in <module>
assert resp_dict['ResponseStatus']['ErrorCode'] == 0
AssertionError

 

 

Not sure where to go from here.

L1 Bithead

I've gotten further by specifying the cloudrulestackadmin role instead of the cloudglobalrulestackadmin in the get_pa_token.py call. But I get a 403 forbidden when I run the curl command in step 10 of https://pan.dev/cloudngfw/aws/api/

What am I missing?

 Ultimately, I'm trying to push the firewall rules via terraform, but the setup in https://medium.com/palo-alto-networks-developer-blog/the-developers-guide-to-palo-alto-networks-clou... isn't working and I get the following

 

 │ Error: InvalidClientTokenId: The security token included in the request is invalid.
│ status code: 403, request id: e8b9428f-0ec4-48ef-a876-aaf616ad0aa1

│ with provider["registry.terraform.io/paloaltonetworks/cloudngfwaws"],
│ on PA-Cloud-NGFW.tf line 23, in provider "cloudngfwaws":
│ 23: provider "cloudngfwaws" {

Hello @DwighAwesome,

 

Greetings from Palo Alto Networks!


Error “… (InvalidClientTokenId) …: The security token included in the request is invalid“
This error occurs when the user failed to pass authentication. Either the appropriate user is not active or user access keys are not valid.
 

Resolve authentication issues by following steps:

       > ensure that the AWS keys repository variables used in the repository are valid, accurate, and contain no spaces or typos


       >ensure that the corresponding user is active in the AWS console


Note: HTTP Status Code: 403 - The request must contain either a valid (registered) AWS access key ID or X.509 certificate.
 


Thanks and Regards,
Gopinath Sekar
Product Specialist
Palo Alto Networks
https://live.paloaltonetworks.com/t5/cloud-ngfw-discussions/bd-p/Cloud_NGFW_Discussion.
*Don’t forget to accept the solution provided!*

Hi @DwightAwesome! Were you able to solve this? Just got the same error

  • 2816 Views
  • 4 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!