AWSCLI connection timeout

T-cog · March 22, 2018, 12:07pm

Trying to connect to AWS through AWSCLI tool and I receive the connection timeout error below. It may be the result of corporate proxy. I am able to successfully connect using Amazons CLI tool after configuring a HTTPS_PROXY setting.

.okta>set HTTPS_PROXY=https://<<PROXY.URL>>
.okta>aws iam get-user
{
“User”: {
“UserName”: “XXXX”,
“PasswordLastUsed”: “",
“CreateDate”: "",
“UserId”: "*********",
“Path”: “/”,
“Arn”: "arn:aws:iam::*********:user/”
}
}

This environment variable and one for HTTP do not seem to have an impact on AWSCLI. Any suggestions on how to resolve this connection issue?

Thanks!

.okta>java -classpath ".okta\*" com.okta.tools.awscli
Username: *************
Password:
Exception in thread "main" **org.apache.http.conn.ConnectTimeoutException: Connect to XXXXX.oktapreview.com:443**
[XXXXX.oktapreview.com/999.999.226.139, XXXXX.oktapreview.com/999.999.81.89, XXXXX.oktapreview.com/999.999.80.210,
 XXXXX.oktapreview.com/999.999.76.2, XXXXX.oktapreview.com/000.999.80.174, XXXXX.oktapreview.com/999.999.226.145]
failed: Read timed out
        at org.apache.http.impl.conn.DefaultHttpClientConnectionOperator.connect(DefaultHttpClientConnectionOp
erator.java:150)
        at org.apache.http.impl.conn.PoolingHttpClientConnectionManager.connect(PoolingHttpClientConnectionMan
ager.java:353)
        at org.apache.http.impl.execchain.MainClientExec.establishRoute(MainClientExec.java:380)
        at org.apache.http.impl.execchain.MainClientExec.execute(MainClientExec.java:236)
        at org.apache.http.impl.execchain.ProtocolExec.execute(ProtocolExec.java:184)
        at org.apache.http.impl.execchain.RetryExec.execute(RetryExec.java:88)
        at org.apache.http.impl.execchain.RedirectExec.execute(RedirectExec.java:110)
        at org.apache.http.impl.client.InternalHttpClient.doExecute(InternalHttpClient.java:184)
        at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:82)
        at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:107)
        at com.okta.tools.OktaAwsCliAssumeRole.logInToOkta(OktaAwsCliAssumeRole.java:271)
        at com.okta.tools.OktaAwsCliAssumeRole.getAuthnResponse(OktaAwsCliAssumeRole.java:208)
        at com.okta.tools.OktaAwsCliAssumeRole.getOktaSessionToken(OktaAwsCliAssumeRole.java:178)
        at com.okta.tools.OktaAwsCliAssumeRole.getSamlResponse(OktaAwsCliAssumeRole.java:124)
        at com.okta.tools.OktaAwsCliAssumeRole.run(OktaAwsCliAssumeRole.java:111)
        at com.okta.tools.awscli.main(awscli.java:31)
Caused by: java.net.SocketTimeoutException: Read timed out
        at java.net.SocketInputStream.socketRead0(Native Method)
        at java.net.SocketInputStream.socketRead(Unknown Source)
        at java.net.SocketInputStream.read(Unknown Source)
        at java.net.SocketInputStream.read(Unknown Source)
        at sun.security.ssl.InputRecord.readFully(Unknown Source)
        at sun.security.ssl.InputRecord.read(Unknown Source)
        at sun.security.ssl.SSLSocketImpl.readRecord(Unknown Source)
        at sun.security.ssl.SSLSocketImpl.performInitialHandshake(Unknown Source)
        at sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source)
        at sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source)
        at org.apache.http.conn.ssl.SSLConnectionSocketFactory.createLayeredSocket

AndreiiiH · March 22, 2018, 3:51pm

Hello T-cog,

Can you please elaborate on the above? It is a bit vague for us to understand.

From the first paragraph it seems as if you were able to successfully use the tool once HTTP_PROXY was defined.

T-cog · March 22, 2018, 6:49pm

I apologize for the confusion. I am able to use Amazon’s CLI tool successfully after configuring the proxy variable as illustrated with the #aws iam, get-user command. Okta’s AWSCLI tool fails to connect with the connection timeout error.

I did perform a packet capture while attempting to connect using Okta’s AWSCLI to try and identify where the connection is timing out, and it appears to be while connection to Okta Preview. The image below shows the client and server handshake, followed by repeated retransmissions and eventually a client reset when the server fails to respond.

.okta>java -classpath ".okta\*" com.okta.tools.awscli
Username: XXXX
Password:
Exception in thread "main" org.apache.http.conn.ConnectTimeoutException: Connect to xxxxx.oktapreview.com:443
[xxxxx.oktapreview.com/50.17.226.139, xxxxx.oktapreview.com/54.225.76.2, xxxxx.oktapreview.com/54.225.80.174,
xxxxx.oktapreview.com/50.17.226.145, xxxxx.oktapreview.com/54.225.80.210, xxxxx.oktapreview.com/54.225.81.89]
failed: Read timed out

AndreiiiH · March 23, 2018, 8:06am

Thank you for the clarification provided. I have forwarded the information by submitting an issue on the GitHub repo, so that my colleagues can also take a look at it for a quick resolution.

You can see Issue #105 here.

Please continue monitoring that issue thread for updates. If we need more information, we’ll reach out to you on this thread.

Thank you,
Andrei Hava

system · January 12, 2024, 10:07pm

This topic was automatically closed 24 hours after the last reply. New replies are no longer allowed.

Post		Replies	Views
Com.okta.tools.awscli unable to find program 'aws' Questions	5	8735	February 4, 2019
Timeout error when decoding the access token OAuth/OIDC	3	1871	October 16, 2023
Proxy/Netty: io.netty.channel.ConnectTimeoutException: connection timed out Questions	4	17152	August 26, 2020
Okta .NET SDK and AWS Lambda Questions	6	3714	April 29, 2021
Inscrutable error from okta-aws Questions	3	4697	February 8, 2024

AWSCLI connection timeout

Related topics