Troubleshoot the Configuration of MDE with IAM Authentication

Logs

  • Auth service logs: /opt/alation/site/logs/authserver.log

  • Auth service errors logs: /opt/alation/site/logs/authserver_err.log

  • MDE logs: /opt/alation/site/logs/celery*.log

Type of Error

Description

Troubleshooting

Error serializing table objects: Error iterating schema children

If MDE fails with this error for Amazon Athena, the cause may be expiration of the STS token while the extraction was in progress

  • Increase the STS max duration configuration in AWS for both the EC2 instance role and the IAM Role that is assumed

  • If max STS duration is configured to be 12 hours and you still see this error, you may have run into the limitation of Alation not supporting metadata extraction that runs for more than 12 hours. As an alternative, you can use an EC2 instance profile role to authenticate.

TaskServer timed out after <..> seconds for method: adbcExtractSchemas

If the adbcExtractSchemas method times out but the extraction is not completed yet, extraction fails.

Increase the timeout using the alation_conf parameter alation.taskserver_timeouts.adbcExtractSchemas

Incomplete authorization, state not found

AuthService and the data source are configured without the right instance profile, or the instance profile was assigned to an EC2 instance but does not take effect.

Check authserver.log for more details on what is the root cause of the failure

Try restarting the EC2 instance for the instance profile to be associated with it

[Simba][AthenaJDBC (100211) Missing credentials error: Either UID/PWD or AwsCredentialsProviderClass must be provided

Taskserver needs to be restarted after the backend configuration.

Restart Taskserver.

From the Alation shell, run:

alation_supervisor restart java:taskserver

The security token included in the request is invalid. (Service: AmazonAthena; Status Code: 400; Error Code: UnrecognizedClientException; Request ID: <…>)

An STS token is generated using an IAM role. Instance profiles are not recognized or configuration does not take effect.

This is typically an AWS misconfiguration.

Restart the EC2 instance hosting Alation. Check the IAM Role policies and their permissions. Check that your Amazon Athena or Redshift instances are up and accessible from Alation.

Job is not running. It might have been killed or crashed unexpectedly or there might have been a system outage

The log authserver.log will contain the details: “Error: AWS Validation Error. User: <..> is not authorized to perform: sts:AssumeRole on resource: <..>

Check the configuration of the role that gives access to the AWS resources. It must contain the instance profile role in the Trusted Relationships.