AWS Cloud9 or Code Editor Environment "[Error 401] access denied, invalid bearer token" when authenticating

[b1tf0rbyt3s]

Was attempting to utilize falconpy from within our AWS coding environment. Tried creating a Cloud9 environment with both the Amazon Linux and Ubuntu 22 EC2 underlying it. When I try to run any calls I get a [Error 401] access denied, invalid bearer token. Cloud9 comes default with Python 3.9.16 when using Amazon Linux OS and 3.10 when using Ubuntu 22. I even tried upgrading to 3.12 to see if there was any difference. I also tried using Code Editor from within AWS SageMaker and it defaults to python 3.10 - get exact same error.

What is puzzling is that the same exact code works fine when running within my local IDE on my laptop, utilizing same python versions. Makes me think it is something within the AWS environment that is not allowing authentication but not sure how to pinpoint the exact issue as it only gives me a "access denied, invalid bearer token" error.

Sample test code to demonstrate how I am attempting authenticate (This code works perfectly in local IDE but gives the error mentioned above in code editing environments within AWS):

import os
from falconpy import APIHarnessV2

falcon = APIHarnessV2(client_id=os.getenv("FALCON_CLIENT_ID"),
                      client_secret=os.getenv("FALCON_CLIENT_SECRET"))

SEARCH_FILTER = "hostname:'HOSTNAME'"
response = falcon.command("QueryDevicesByFilter",
                          limit=1,
                          filter=SEARCH_FILTER
                          )
if response["status_code"] == 200:
    hosts_found = response["body"]["resources"]
    print(f'Host ID Found: {hosts_found}')
else:
    # Retrieve the details of the error response
    error_detail = response["body"]["errors"]
    for error in error_detail:
        # Display the API error detail
        error_code = error["code"]
        error_message = error["message"]
        print(f"[Error {error_code}] {error_message}")

On Cloud9 or AWS Code Editor I get:
[Error 401] access denied, invalid bearer token

On local IDE, I get 200 and the Host ID every time.

I also tested same code on personal AWS account with full admin rights. Same result.

Any ideas as to what could be restricting from within AWS environment or best way to narrow down what might be the issue?

[jshcodes]

The example above appears to leverage Environment Authentication (manually). If you swap to Direct Authentication, do you get a valid bearer token?

[jshcodes]

It's weird we're getting a 401 back when trying the following code (if our client ID and secret are valid):

from falconpy import APIHarnessV2

falcon = APIHarnessV2(client_id="<REDACTED>", client_secret="<REDACTED>")

results = falcon.command("QueryDevicesByFilterScroll", limit=1)
print(results)

Can we take this code and execute it outside of Cloud9? When doing so, let's turn on debugging just so we see the full interaction. (Keys will be redacted still.)

import logging
from falconpy import APIHarnessV2

logging.basicConfig(level=logging.DEBUG)
falcon = APIHarnessV2(client_id="<REDACTED>", client_secret="<REDACTED>", debug=True)

results = falcon.command("QueryDevicesByFilterScroll", limit=1)
print(results)

Another thing we should check: Does your tenant have IP allowlist management enabled?

[b1tf0rbyt3s]

Here is the output from same CID when I run via local IDE. In terms of IP Allowlist - I will usually add the IP addresses to the allow list in Falcon - in this case I added the IP addresses that are logged in Falcon for Amazon and my own IP Address as well (for running locally).

DEBUG:falconpy._auth_object._falcon_interface:CREATED: APIHarnessV2 interface class
DEBUG:falconpy._auth_object._falcon_interface:CONFIG: Base URL set to https://api.crowdstrike.com
DEBUG:falconpy._auth_object._falcon_interface:CONFIG: SSL verification is set to True
DEBUG:falconpy._auth_object._falcon_interface:CONFIG: Timeout set to None seconds
DEBUG:falconpy._auth_object._falcon_interface:CONFIG: Proxy dictionary: None
DEBUG:falconpy._auth_object._falcon_interface:CONFIG: User-Agent string set to: None
DEBUG:falconpy._auth_object._falcon_interface:CONFIG: Token renewal window set to 120 seconds
DEBUG:falconpy._auth_object._falcon_interface:CONFIG: Maximum number of records to log: 100
DEBUG:falconpy._auth_object._falcon_interface:CONFIG: Log sanitization is enabled
DEBUG:falconpy._auth_object._falcon_interface:CONFIG: Pythonic responses are disabled
DEBUG:falconpy._auth_object._falcon_interface:OPERATION: oauth2AccessToken
DEBUG:falconpy._auth_object._falcon_interface:ENDPOINT: https://api.crowdstrike.com/oauth2/token (POST)
DEBUG:falconpy._auth_object._falcon_interface:HEADERS: {'User-Agent': 'crowdstrike-falconpy/1.4.1', 'CrowdStrike-SDK': 'crowdstrike-falconpy/1.4.1'}
DEBUG:falconpy._auth_object._falcon_interface:PARAMETERS: None
DEBUG:falconpy._auth_object._falcon_interface:BODY: None
DEBUG:falconpy._auth_object._falcon_interface:DATA: {'client_id': 'REDACTED', 'client_secret': 'REDACTED'}
DEBUG:urllib3.connectionpool:Starting new HTTPS connection (1): api.crowdstrike.com:443
DEBUG:urllib3.connectionpool:https://api.crowdstrike.com:443 "POST /oauth2/token HTTP/1.1" 308 0
DEBUG:urllib3.connectionpool:Starting new HTTPS connection (1): api.us-2.crowdstrike.com:443
DEBUG:urllib3.connectionpool:https://api.us-2.crowdstrike.com:443 "POST /oauth2/token HTTP/1.1" 201 1251
DEBUG:falconpy._auth_object._falcon_interface:RECEIVED: Content returned in application/json format
DEBUG:falconpy._auth_object._falcon_interface:STATUS CODE: 201
DEBUG:falconpy._auth_object._falcon_interface:RESULT: {'status_code': 201, 'headers': {'Server': 'nginx', 'Date': 'Mon, 01 Apr 2024 16:00:32 GMT', 'Content-Type': 'application/json', 'Content-Length': '1251', 'Connection': 'keep-alive', 'X-Cs-Region': 'us-2', 'X-Cs-Traceid': '6af46408-f3f0-4907-9d35-77d540f76bcf', 'X-Ratelimit-Limit': '300', 'X-Ratelimit-Remaining': '298', 'Strict-Transport-Security': 'max-age=31536000; includeSubDomains'}, 'body': {'access_token': 'REDACTED', 'expires_in': 1799, 'token_type': 'bearer'}}
DEBUG:falconpy._auth_object._falcon_interface:OPERATION: QueryDevicesByFilterScroll
DEBUG:falconpy._auth_object._falcon_interface:ENDPOINT: https://api.us-2.crowdstrike.com/devices/queries/devices-scroll/v1 (GET)
DEBUG:falconpy._auth_object._falcon_interface:HEADERS: {'Authorization': 'Bearer REDACTED', 'User-Agent': 'crowdstrike-falconpy/1.4.1', 'CrowdStrike-SDK': 'crowdstrike-falconpy/1.4.1'}
DEBUG:falconpy._auth_object._falcon_interface:PARAMETERS: {'limit': 1}
DEBUG:falconpy._auth_object._falcon_interface:BODY: {}
DEBUG:falconpy._auth_object._falcon_interface:DATA: {}
DEBUG:urllib3.connectionpool:Starting new HTTPS connection (1): api.us-2.crowdstrike.com:443
DEBUG:urllib3.connectionpool:https://api.us-2.crowdstrike.com:443 "GET /devices/queries/devices-scroll/v1?limit=1 HTTP/1.1" 200 420
DEBUG:falconpy._auth_object._falcon_interface:RECEIVED: Content returned in application/json format
DEBUG:falconpy._auth_object._falcon_interface:STATUS CODE: 200
DEBUG:falconpy._auth_object._falcon_interface:RESULT: {'status_code': 200, 'headers': {'Server': 'nginx', 'Date': 'Mon, 01 Apr 2024 16:00:33 GMT', 'Content-Type': 'application/json', 'Content-Length': '420', 'Connection': 'keep-alive', 'Content-Encoding': 'gzip', 'Strict-Transport-Security': 'max-age=15724800; includeSubDomains, max-age=31536000; includeSubDomains', 'X-Cs-Region': 'us-2', 'X-Cs-Traceid': 'c88930c3-920d-4199-990a-120ae16221a7', 'X-Ratelimit-Limit': '6000', 'X-Ratelimit-Remaining': '5999'}, 'body': {'meta': {'query_time': 0.056376144, 'pagination': {'total': 14463, 'offset': 'FGluY2x1ZGVfY29udGV4dF91dWlkDnF1ZXJ5VGhlbkZldGNoAhYwTlZjNlhvaVM2LWFUYVp5NFBrMGh3AAAAACtZefAWMTBqYllacVpTd2lCZ21NVFNfQ1hyZxZkcjVSbG90V1Q4bXlXdUNDYVJiV1BnAAAAADIhV4EWV0RkSGVoNklUanVCdVZGMjNmbTNrUQ==', 'expires_at': 1711987353204342414}, 'powered_by': 'device-api', 'trace_id': 'c88930c3-920d-4199-990a-120ae16221a7'}, 'resources': ['4cfd4e7ed50f472b9aad5c0bedc839bf'], 'errors': []}}

{'status_code': 200, 'headers': {'Server': 'nginx', 'Date': 'Mon, 01 Apr 2024 16:00:33 GMT', 'Content-Type': 'application/json', 'Content-Length': '420', 'Connection': 'keep-alive', 'Content-Encoding': 'gzip', 'Strict-Transport-Security': 'max-age=15724800; includeSubDomains, max-age=31536000; includeSubDomains', 'X-Cs-Region': 'us-2', 'X-Cs-Traceid': 'c88930c3-920d-4199-990a-120ae16221a7', 'X-Ratelimit-Limit': '6000', 'X-Ratelimit-Remaining': '5999'}, 'body': {'meta': {'query_time': 0.056376144, 'pagination': {'total': 14463, 'offset': 'FGluY2x1ZGVfY29udGV4dF91dWlkDnF1ZXJ5VGhlbkZldGNoAhYwTlZjNlhvaVM2LWFUYVp5NFBrMGh3AAAAACtZefAWMTBqYllacVpTd2lCZ21NVFNfQ1hyZxZkcjVSbG90V1Q4bXlXdUNDYVJiV1BnAAAAADIhV4EWV0RkSGVoNklUanVCdVZGMjNmbTNrUQ==', 'expires_at': 1711987353204342414}, 'powered_by': 'device-api', 'trace_id': 'c88930c3-920d-4199-990a-120ae16221a7'}, 'resources': ['4cfd4e7ed50f472b9aad5c0bedc839bf'], 'errors': []}}

[jshcodes]

This one is pretty interesting. We've eliminated most of the low hanging fruit at this point. 🤔

In the Cloud9 environment, we can tweak the code slightly to force an authentication (the Uber Class doesn't authenticate until the first request is made). This will allow us to confirm a token is being generated.

Important

Do not post the response of the following code to our GitHub discussion.

import logging
from falconpy import APIHarnessV2
logging.basicConfig(level=logging.DEBUG)

uber = APIHarnessV2(client_id="<REDACTED>", client_secret="<REDACTED>", debug=True)
uber.authenticate()
print(uber.token)

I'll setup a Cloud9 environment today and try this out to see if I can recreate the issue.

[b1tf0rbyt3s]

Tried running the above in Cloud9. I get None for Token and is just a 403: {'code': 403, 'message': 'access denied, authorization failed'}.

What is interesting is that for the code above where we tested the direct client id/secret it is a 403 in the debug output and then a 401 in same output at the end with the stdout of print(results) - see below. I don't know if that means anything? Would it be an issue with urllib3?

...
DEBUG:urllib3.connectionpool:https://api.crowdstrike.com:443 "POST /oauth2/token HTTP/1.1" 403 231
DEBUG:falconpy._auth_object._falcon_interface:RECEIVED: Content returned in application/json format
ERROR:falconpy._auth_object._falcon_interface:ERROR: access denied, authorization failed
DEBUG:falconpy._auth_object._falcon_interface:STATUS CODE: 403
...
...'errors': [{'code': 401, 'message': 'access denied, invalid bearer token'}]}}

[jshcodes]

Our authentication request is definitely failing, and we're pretty sure about the keys since we're using them locally. If we call curl -s ipinfo.io/ip from the Cloud9 terminal, does it match the IP added to the Allowlist?

Both status codes are part of the API response. The 403 is from the status_code key, whereas the errors branch is a child branch of body. That is interesting. I will try and recreate this response in my testing.