Troubleshoot the Configuration of MDE with IAM Authentication

Logs

  • Auth service logs: /opt/alation/site/logs/authserver.log

  • Auth service errors logs: /opt/alation/site/logs/authserver_err.log

  • MDE logs: /opt/alation/site/logs/celery*.log

Type of Error

Description

Troubleshooting

Error serializing table objects: Error iterating schema children

For MDE from Athena, if MDE fails with this error, the cause could be the expiration of the STS token while the extraction was in progress

  • Increase the STS max duration configuration in AWS for both the EC2 instance role and the IAM Role that is assumed

  • If max STS duration of 12 hours is configured and you still see this error, you may have run into the limitation that Alation does not support metadata extraction that runs more than 12 hours. As an alternative, you can use EC2 instance profile role to directly assume the policies and authenticate using instance profiles

TaskServer timed out after <..> seconds for method: adbcExtractSchemas

If the adbcExtractSchemas timeout expires and the extraction is not completed yet, extraction fails.

Increase the timeout using the alation_conf parameter alation.taskserver_timeouts.adbcExtractSchemas

Incomplete authorizaiton, state not found

AuthService and the data source are configured without the right instance profile, or the instance profile was assigned to an EC2 instance but does not take effect.

Check authserver.log for more details on what is the root cause of the failure

Try restarting the EC2 instance for the instance profile to be associated with it

[Simba][AthenaJDBC (100211) Missing credentials error: Either UID/PWD or AwsCredentialsProviderClass must be provided

Taskserver needs to be restarted after the backend configuration.

Restart Taskserver.

From the Alation shell, run:

alation_supervisor restart java:taskserver

The security token included in the request is invalid. (Service: AmazonAthena; Status Code: 400; Error Code: UnrecognizedClientException; Request ID: <…>)

STS token is generated using the IAM Roles - instance profiles are not recognized or configuration does not take effect.

This is typically an AWS misconfiguration.

Restart the EC2 instance hosting Alation. Check the IAM Role policies and their permissions. Check that the Athena or Redshift instances are up and accessible from Alation.

Job is not running. It might have been killed or crashed unexpectedly or there might have been a system outage

authserver.log contains the details: “Error: AWS Validation Error. User: <..> is not authorized to perform: sts:AssumeRole on resource: <..>

Check the configuration of the role that gives access to the AWS resources. It must contain the instance profile role in the Trusted Relationships.