Improve the error message when joining fails (#38409)

Fixes #33975
gravitational · Feb 20, 2024 · 5035c6e · 5035c6e
1 parent 21eac06
commit 5035c6e
Show file tree

Hide file tree

Showing 3 changed files with 7 additions and 7 deletions.
diff --git a/lib/auth/join_azure.go b/lib/auth/join_azure.go
@@ -281,7 +281,7 @@ func verifyVMIdentity(ctx context.Context, cfg *azureRegisterConfig, accessToken
 	return vm, nil
 }
 
-func checkAzureAllowRules(vm *azure.VirtualMachine, allowRules []*types.ProvisionTokenSpecV2Azure_Rule) error {
+func checkAzureAllowRules(vm *azure.VirtualMachine, token string, allowRules []*types.ProvisionTokenSpecV2Azure_Rule) error {
 	for _, rule := range allowRules {
 		if rule.Subscription != vm.Subscription {
 			continue
@@ -293,7 +293,7 @@ func checkAzureAllowRules(vm *azure.VirtualMachine, allowRules []*types.Provisio
 		}
 		return nil
 	}
-	return trace.AccessDenied("instance did not match any allow rules")
+	return trace.AccessDenied("instance %v did not match any allow rules in token %v", vm.Name, token)
 }
 
 func (a *Server) checkAzureRequest(ctx context.Context, challenge string, req *proto.RegisterUsingAzureMethodRequest, cfg *azureRegisterConfig) error {
@@ -322,7 +322,7 @@ func (a *Server) checkAzureRequest(ctx context.Context, challenge string, req *p
 		return trace.BadParameter("azure join method only supports ProvisionTokenV2, '%T' was provided", provisionToken)
 	}
 
-	if err := checkAzureAllowRules(vm, token.Spec.Azure.Allow); err != nil {
+	if err := checkAzureAllowRules(vm, token.GetName(), token.Spec.Azure.Allow); err != nil {
 		return trace.Wrap(err)
 	}
 

diff --git a/lib/auth/join_ec2.go b/lib/auth/join_ec2.go
@@ -84,7 +84,7 @@ func checkEC2AllowRules(ctx context.Context, iid *imds.InstanceIdentityDocument,
 		// iid matches this allow rule. Check if it is running.
 		return trace.Wrap(checkInstanceRunning(ctx, iid.InstanceID, iid.Region, rule.AWSRole))
 	}
-	return trace.AccessDenied("instance did not match any allow rules")
+	return trace.AccessDenied("instance %v did not match any allow rules in token %v", iid.InstanceID, provisionToken.GetName())
 }
 
 func checkInstanceRunning(ctx context.Context, instanceID, region, IAMRole string) error {

diff --git a/lib/auth/join_iam.go b/lib/auth/join_iam.go
@@ -237,7 +237,7 @@ func arnMatches(pattern, arn string) (bool, error) {
 
 // checkIAMAllowRules checks if the given identity matches any of the given
 // allowRules.
-func checkIAMAllowRules(identity *awsIdentity, allowRules []*types.TokenRule) error {
+func checkIAMAllowRules(identity *awsIdentity, token string, allowRules []*types.TokenRule) error {
 	for _, rule := range allowRules {
 		// if this rule specifies an AWS account, the identity must match
 		if len(rule.AWSAccount) > 0 {
@@ -260,7 +260,7 @@ func checkIAMAllowRules(identity *awsIdentity, allowRules []*types.TokenRule) er
 		// node identity matches this allow rule
 		return nil
 	}
-	return trace.AccessDenied("instance did not match any allow rules")
+	return trace.AccessDenied("instance %v did not match any allow rules in token %v", identity.Arn, token)
 }
 
 // checkIAMRequest checks if the given request satisfies the token rules and
@@ -295,7 +295,7 @@ func (a *Server) checkIAMRequest(ctx context.Context, challenge string, req *pro
 	}
 
 	// check that the node identity matches an allow rule for this token
-	if err := checkIAMAllowRules(identity, provisionToken.GetAllowRules()); err != nil {
+	if err := checkIAMAllowRules(identity, provisionToken.GetName(), provisionToken.GetAllowRules()); err != nil {
 		return trace.Wrap(err)
 	}