search cancel

Blocked URL or AWS IAM user's policy causes AWS Access Key Rotation Issue

book

Article ID: 144745

calendar_today

Updated On:

Products

CA Privileged Access Manager (PAM)

Issue/Introduction

AWS Access Key ID that can be successfully used to connect to the AWS Management Console may sometimes not synchronized.  The following error is received: "PAM-CM-3391: AWS Key Pair can be changed only by random generation.
This is normally done by selecting "Update both the Credential Manager Server and the target system" on the "Key" tab and then entering the Access Key ID and Secret Access Key. 

Environment

Release : 3.3, 3.4.x

Component : PRIVILEGED ACCESS MANAGEMENT

Resolution

The firewall that blocks the URL can cause this issue. Review firewall configuration to allow access to URLs used for AWS access, specifically: iam.amazonaws.com.

There could be a permission problem too, i.e.  configured AWS IAM user's policy doesn't give privilege for PAM to update Access Key ID and its Secret Access Key. In this case, the solution is to add AWS IAM user policy so it can rotate their own credentials programmatically. Please refer below AWS article

https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_examples_iam_credentials_console.html

If "Update both the Credential Manager Server and target system" is selected as value of "Synchronized:" parameter in the Key tab of the AWS Target Account, it means we let PAM rotates the AWS IAM user's Access Key ID and its Secret Access Key. This is not necessary if we just want to integrate PAM with AWS and import AWS devices. Selecting "Update only the Credential Manager Server" as value of "Synchronized:" parameter will be sufficient.

When PAM rotates AWS Target Account's credentials, PAM will automatically delete the current Access Key ID and regenerate a new Access Key ID with its new Secret Access Key. In other words, credentials rotation for AWS Target Account will change both Access Key ID and Secret Access Key values. So the above error, i.e.

    PAM-CM-3391: AWS Key Pair can be changed only by random generation

occurred because manually Secret Access Key value only has been changed without a new Access Key ID value.

If PAM has sufficient privileges to rotate AWS Target Account's credentials then manual credentials rotation is done by clicking the "Generate Credential" icon. This "Generate Credential" will create both new Access Key ID and new Secret Access Key.