Notifications

146 views

Description

When we use MID Configuration Parameter : "mid.aws.instance_profile_name" and set "mid.aws.sts.assume_role.disable_credential_caching" property true ( i.e disabling credential caching), we are seeing NullPointer Exception in the mid server logs.

  • Exception :
12/29/19 21:12:01 (019) Worker-Interactive:HorizontalDiscoveryProbe-f4d7e89d130a4c9869f8d2228144b061 DEBUG: resolveCredentialFromIAMInstanceProfile: Accessing temporary credentials from instance meta-data server 'http://169.254.169.254/latest/meta-data/iam/security-credentials/iamAWSDiscoReadOnly'
12/29/19 21:12:01 (034) Worker-Interactive:HorizontalDiscoveryProbe-f4d7e89d130a4c9869f8d2228144b061 WARNING *** WARNING *** java.lang.NullPointerException
Caused by error in MID Server script include 'AwsApiCommand' at line 192

189: if (JSUtil.notNil(instanceProfileName) && isMasterAccount) {
190: optMasterCred = CredentialUtil.resolveCredentialFromIAMInstanceProfile(serviceAccountID, AWS_CREDENTIAL_TTL_MINUTES_MIN_VALUE);
191: } else {
==> 192: optMasterCred = CredentialUtil.resolveCredentialForAccount(serviceAccountID);
193: }
194:
195: if (optMasterCred) {

com.service_now.mid.util.CloudServiceAccountCredentialUtil.resolveCredentialFromIAMInstanceProfile(CloudServiceAccountCredentialUtil.java:534)
com.service_now.mid.util.CloudServiceAccountCredentialUtil.resolveCredentialForAccount(CloudServiceAccountCredentialUtil.java:302)
com.service_now.mid.util.CloudServiceAccountCredentialUtil.resolveCredentialForAccount(CloudServiceAccountCredentialUtil.java:557)
sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
java.lang.reflect.Method.invoke(Method.java:498)
org.mozilla.javascript.MemberBox.invoke(MemberBox.java:138)
org.mozilla.javascript.NativeJavaMethod.call(NativeJavaMethod.java:292)
org.mozilla.javascript.ScriptRuntime.doCall(ScriptRuntime.java:2585)
org.mozilla.javascript.optimizer.OptRuntime.call1(OptRuntime.java:32)
org.mozilla.javascript.gen.script_include_AwsApiCommand_13._c_anonymous_6(script_include:AwsApiCommand:192)
org.mozilla.javascript.gen.script_include_AwsApiCommand_13.call(script_include:AwsApiCommand)
org.mozilla.javascript.ScriptRuntime.doCall2(ScriptRuntime.java:2651)
org.mozilla.javascript.ScriptRuntime.doCall(ScriptRuntime.java:2590)
org.mozilla.javascript.optimizer.OptRuntime.call1(OptRuntime.java:32)
org.mozilla.javascript.gen.script_include_AwsApiCommand_13._c_anonymous_14(script_include:AwsApiCommand:365)
org.mozilla.javascript.gen.script_include_AwsApiCommand_13.call(script_include:AwsApiCommand)
org.mozilla.javascript.ScriptRuntime.doCall2(ScriptRuntime.java:2651)
org.mozilla.javascript.ScriptRuntime.doCall(ScriptRuntime.java:2590)
org.mozilla.javascript.optimizer.OptRuntime.callN(OptRuntime.java:52)
org.mozilla.javascript.gen.script_include_CloudApiCommand_11._c_anonymous_2(script_include:CloudApiCommand:47)
org.mozilla.javascript.gen.script_include_CloudApiCommand_11.call(script_include:CloudApiCommand)
org.mozilla.javascript.ScriptRuntime.doCall2(ScriptRuntime.java:2651)
org.mozilla.javascript.ScriptRuntime.doCall(ScriptRuntime.java:2590)
org.mozilla.javascript.optimizer.OptRuntime.callN(OptRuntime.java:52)
org.mozilla.javascript.gen.script_include_CloudApiCommand_11._c_anonymous_1(script_include:CloudApiCommand:38)
org.mozilla.javascript.gen.script_include_CloudApiCommand_11.call(script_include:CloudApiCommand)
org.mozilla.javascript.ScriptRuntime.doCall2(ScriptRuntime.java:2651)
org.mozilla.javascript.ScriptRuntime.doCall(ScriptRuntime.java:2590)
org.mozilla.javascript.optimizer.OptRuntime.callN(OptRuntime.java:52)
org.mozilla.javascript.gen.script_include_CloudApi_9._c_anonymous_5(script_include:CloudApi:164)
org.mozilla.javascript.gen.script_include_CloudApi_9.call(script_include:CloudApi)
org.mozilla.javascript.ScriptRuntime.doCall2(ScriptRuntime.java:2651)
org.mozilla.javascript.ScriptRuntime.doCall(ScriptRuntime.java:2590)
org.mozilla.javascript.optimizer.OptRuntime.callN(OptRuntime.java:52)
org.mozilla.javascript.gen.script_include_CloudApi_9._c_anonymous_3(script_include:CloudApi:91)
org.mozilla.javascript.gen.script_include_CloudApi_9.call(script_include:CloudApi)
org.mozilla.javascript.ScriptRuntime.doCall2(ScriptRuntime.java:2651)
org.mozilla.javascript.ScriptRuntime.doCall(ScriptRuntime.java:2590)
org.mozilla.javascript.optimizer.OptRuntime.callN(OptRuntime.java:52)
org.mozilla.javascript.gen.script_include_CloudApi_9._c_anonymous_1(script_include:CloudApi:22)
org.mozilla.javascript.gen.script_include_CloudApi_9.call(script_include:CloudApi)
org.mozilla.javascript.ScriptRuntime.doCall2(ScriptRuntime.java:2651)
org.mozilla.javascript.ScriptRuntime.doCall(ScriptRuntime.java:2590)
org.mozilla.javascript.optimizer.OptRuntime.callN(OptRuntime.java:52)
org.mozilla.javascript.gen.script_include_CloudRestQueryUtil_8._c_anonymous_7(script_include:CloudRestQueryUtil:150)
org.mozilla.javascript.gen.script_include_CloudRestQueryUtil_8.call(script_include:CloudRestQueryUtil)
org.mozilla.javascript.ScriptRuntime.doCall2(ScriptRuntime.java:2651)
org.mozilla.javascript.ScriptRuntime.doCall(ScriptRuntime.java:2590)
org.mozilla.javascript.optimizer.OptRuntime.callN(OptRuntime.java:52)
org.mozilla.javascript.gen.ad_hoc_EvalClosure_Get_Master_account_id_7._c_script_0(ad_hoc:EvalClosure-Get Master account id:16)
org.mozilla.javascript.gen.ad_hoc_EvalClosure_Get_Master_account_id_7.call(ad_hoc:EvalClosure-Get Master account id)
org.mozilla.javascript.ContextFactory.doTopCall(ContextFactory.java:563)
org.mozilla.javascript.ScriptRuntime.doTopCall(ScriptRuntime.java:3429)
org.mozilla.javascript.gen.ad_hoc_EvalClosure_Get_Master_account_id_7.call(ad_hoc:EvalClosure-Get Master account id)
org.mozilla.javascript.gen.ad_hoc_EvalClosure_Get_Master_account_id_7.exec(ad_hoc:EvalClosure-Get Master account id)
com.service_now.mid.script.MIDScript.executeCompiledScript(MIDScript.java:223)
com.service_now.mid.script.MIDScript.evaluate(MIDScript.java:128)
com.snc.sw.kb.lang.closure.EvalClosure.executeJavascriptWithDetailedException(EvalClosure.java:117)
com.snc.sw.kb.lang.closure.CustomOperationClosure.runScript(CustomOperationClosure.java:199)
com.snc.sw.kb.lang.closure.CustomOperationClosure.function(CustomOperationClosure.java:85)
com.snc.sw.kb.lang.closure.CustomOperationClosure.function(CustomOperationClosure.java:27)
com.snc.sw.pattern.AbstractPatternExecutor.executeStep(AbstractPatternExecutor.java:739)
com.snc.sw.pattern.DefaultPatternExecutor.executeStepsImpl(DefaultPatternExecutor.java:50)
com.snc.sw.pattern.AbstractPatternExecutor.executeSteps(AbstractPatternExecutor.java:680)
com.snc.sw.pattern.HorizontalDiscoveryPatternExecutor.executeIdentification(HorizontalDiscoveryPatternExecutor.java:202)
com.snc.sw.pattern.HorizontalDiscoveryPatternExecutor.runIdentificationSection(HorizontalDiscoveryPatternExecutor.java:182)
com.snc.sw.pattern.HorizontalDiscoveryPatternExecutor.runHostDiscovery(HorizontalDiscoveryPatternExecutor.java:173)
com.snc.sw.pattern.HorizontalDiscoveryPatternExecutor.executeIdentifications(HorizontalDiscoveryPatternExecutor.java:122)
com.snc.sw.pattern.HorizontalDiscoveryPatternExecutor.executePattern(HorizontalDiscoveryPatternExecutor.java:67)
com.snc.sw.pattern.DefaultPatternExecutor.executePattern(DefaultPatternExecutor.java:32)
com.service_now.mid.probe.HorizontalDiscoveryProbe.runPattern(HorizontalDiscoveryProbe.java:241)
com.service_now.mid.probe.HorizontalDiscoveryProbe.runProbe(HorizontalDiscoveryProbe.java:108)
com.service_now.mid.probe.ServiceWatchProbe.probe(ServiceWatchProbe.java:35)
com.service_now.mid.probe.AProbe.process(AProbe.java:103)
com.service_now.mid.queue_worker.AWorker.runWorker(AWorker.java:122)
com.service_now.mid.queue_worker.AWorkerThread.run(AWorkerThread.java:20)
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
java.lang.Thread.run(Thread.java:748)

Steps to Reproduce

  1. Have an AWS service account set up
  2. Create an EC2 Instance profile and add MID Configuration Parameter: "mid.aws.instance_profile_name" with the role assigned to this instance profile.
  3. Set MID Server property "mid.aws.sts.assume_role.disable_credential_caching" to true and restart the mid server.
  4. Create a cloud schedule and try "Test Account" UI action.
  5. This would fail with an error

    "Amazon AWS Service account" pattern log would display NullPointerException at step: "Get Master account id"

  6. For complete stack trace, enable mid server debugging. When mid server logs are checked, we can see NullPointerException.

Workaround

As a Workaround

  1. Please import attached "CloudServiceAccountCredentialUtil.java.zip"
    or
  2. Set the "mid.aws.sts.assume_role.disable_credential_caching" mid property to "false", if at all created.

This problem has been fixed. If you are able to upgrade, review the Fixed In or Intended Fix Version fields to determine whether any versions have a planned or permanent fix.


Related Problem: PRB1379787

Seen In

SR - IRM - Audit Management - New York 2019 Q3
SR - IRM - GRC Profiles - Madrid 2019 Q2
SR - IRM - GRC Workbench - New York 2019 Q3
SR - IRM - Policy and Compliance - Madrid 2019 Q2
SR - IRM - Risk Management - New York 2019 Q3
SR - Security - Integration Framework - Madrid 2019 Q2
SR - Security - Support Common - Madrid 2019 Q2
SR - Security - Support Orchestration - Madrid 2019 Q2
SR - SIR - Security Incident Response - Madrid 2019 Q2
SR - SIR - Store SecOps Setup Assistant - Madrid 2019 Q2
SR - SIR - Store Threat Core - Madrid 2019 Q2
SR - SIR - Store Trusted Security Circles Client - New York 2019 Q3
SR - VR - Qualys - New York 2019 Q3
SR - VR - Vulnerability Response - New York 2019 Q3

Fixed In

Paris

Associated Community Threads

There is no data to report.

Article Information

Last Updated:2020-09-17 15:12:25
Published:2020-03-23