Route 53 setup in Virtualmin: "AWS credentials are not valid"

SYSTEM INFORMATION
OS type and version Rocky Linux 9.5
Virtualmin version 7.30.3 Pro

I am attempting to set up Route 53 in my Virtualmin. I added the AWS service to my server, and the option is now appearing under Addresses and Networking > Cloud DNS Providers.

I created a user in my AWS account called “Virtualmin” and gave it the “AmazonRoute53FullAccess” role. I then created the keys for the account.

When I add the account to the Route 53 settings in Virtualmin, I get the error:

Failed to save cloud DNS provider : AWS credentials are not valid : An error occurred (InvalidClientTokenId) when calling the ListHostedZones operation: The security token included in the request is invalid.

I went back and added additional roles to the account in AWS, but the error is persisting. I did verify I copied the name and password from AWS correctly, and re-copied them from the downloaded CSV file.

Any advice on what next steps I can take to troubleshoot this? I did search for solutions, but nothing came up that I haven’t already tried.

I don’t see any evidence the problem is permissions (at least not yet). It looks like the credentials are wrong, based on the error.

The error would say something about access rights if that’s the problem.

Hm. I deleted the user, and created a new one. Added to the group with the permissions, then created a new set of Access Keys.

Copied the keys right from the portal, using the Copy icon next to each item, pasted into Virtualmin’s UI.

Unfortunately, the issue is persisting.

Is there some underlying config I may need to set up, after installing AWS on my server, but before entering the credentials? Does the AWS account need a specific role or setup aside from the permissions to modify Route53 items?

Like Joe said its error with credentials.
Credentials are S3 access key and S3 secret key not a account name, so Account name is not used anywhere on Virtuamin side.
I’ll paste what I have in my IAM, you might see something different.

I did follow that post. Here’s my User setup:

Even when I copy & paste the two keys, either from the website or from the CSV file, I get the same error message.

I think I am missing an Account ID in my setup - the Virtualmin UI doesn’t ask for an Account ID anywhere, but the Web UI for AWS does before you can even get to the login page.

I’ll go over the AWS CLI setup, see what I potentially missed during the install process.

Even after setting up the configuration from the CLI following:

I still can’t connect. I set up for IAM Role - should I be using another setup method?

Only difference I see, I attach directly rather via a group.

I’ve never used a Account ID in Virtuamin.

All I need to setup the S3 Account.

When I am creating an Access Key, what Use Case should I be picking?

I can’t even remember that screen, second last maybe? Application Outside AWS. Although I think Virtuamin uses the CLI commands.

Looking at the error, are you selecting a zone?
Maybe thats the issue.

I’m selecting us-east-1, as us-east-2 is not available in the drop-down.

I never use the drop-down, have you tried default?

The default is us-east-1, which I have been using.

Really, let me try that zone, I’m enable there I am pretty sure.

Yeah created with new key, got me why your having issues.

and your enabled there at aws

Just pick CLI. I don’t know why there are all the different options, but Virtualmin uses the aws-cli command.

The thing that’s making me think is the line “(InvalidClientTokenId)” - I feel like something isn’t being passed to AWS correctly? Or it’s not set up correctly, but I am not sure what I am missing in my setup.

I also tried setting up an Access Key as my root user - same issue. I removed the key as soon as I tested it and it stopped working.

this may or may not help

Ok, I just notice something, I didn’t use the Cloud DNS provider section in Virtualmin.
I created the S3 Account section in the Backup and Restore section.

Can you create a account there or do you still get the error.

That account let me use the Route53.

P.S. Just tested, I can create a account there :frowning: not the problem.

I took a step back and tried testing it from the command line. It looks like there’s a permissions issue (AssumeRole) that I need to resolve in AWS with the account I set up, before I can get the UI to work. Once I can confirm I can make calls from the command line on my server and get responses, I’ll come back and try the UI again.