AWS S3 Data Connector Scripts on MacOS - Cannot bind argument to parameter 'Message' because it is null.

[mvisser-nhb]

Describe the bug
I installed Powershell on MacOSX and downloaded the AWS S3 Data Connector Scripts, I am using AWS profiles with SSO connected to my entra ID so I have AWS cli configured with multiple profiles for multiple AWS accounts.

I get stuck with the script after filling in the role name and workspace id.

 .\ConfigAwsConnector.ps1


Starting ConfigAwsConnector at: 11/28/2024 11:12:40
  Log created: /Users/***/Downloads/AWS S3 Data Connector Scripts/ConfigAwsComToAzureCom/Logs/AwsS3-11281112.csv


To begin you will choose the AWS logs to configure.

Please enter the AWS log type to configure (VPC, CloudTrail, GuardDuty, CloudWatch, CustomLog): CloudTrail

Checking AWS CLI configuration...


This script creates an Assume Role with minimal permissions to grant Azure Sentinel access to your logs in a designated S3 bucket & SQS of your choice, enable CloudTrail Logs, S3 bucket, SQS Queue, and S3 notifications.

  Notes:
  * You can find more information about the script in https://github.com/Azure/Azure-Sentinel/blob/master/DataConnectors/AWS-S3/README.md
  * If a resource name(like: S3, Sqs, Kms) already exists, the script will use the available one and not create a new resource


Checking existing OIDC provider
  OIDC provider already exists
  Approved client IDs: api://1462b192-***
  Client ID api://1462b192-***** is already approved


Assume role definition

Please enter role name. If you have already configured an assume role for Azure Sentinel, use the same role name: ****
  Using role name: OIDC_*** with OIDC prefix because OpenID Connect authentication is being used.

You must specify the the Azure Sentinel Workspace ID. This is found in the Azure Sentinel portal.

Please enter your Azure Sentinel External ID (Workspace ID): ****
  Using Azure Sentinel Workspace ID: ***
Write-Log: /Users/***/Downloads/AWS S3 Data Connector Scripts/ConfigAwsComToAzureCom/Utils/HelperFunctions.ps1:74
Line |
  74 |                  Write-Log -Message $error[0] -LogFileName $LogFileNam …
     |                                     ~~~~~~~~~
     | Cannot bind argument to parameter 'Message' because it is null.
Retrying...

Please enter role name. If you have already configured an assume role for Azure Sentinel, use the same role name:

stripped my data from the logs, replaced by stars

To Reproduce

• Install Powershell on MacOS
• Download and extract the files from the following link: AWS S3 Setup Script.
• run export AWS_PROFILE="mycompany-production"
• run aws sso login
• run pwsh ./ConfigAwsConnector.ps1

Expected behavior
The script should create the data connector resources in my selected profile

Screenshots

Desktop (please complete the following information):

• OS: 15.1.1 (24B91)
• PowerShell 7.4.6

Additional context
also tried within pwsh interactive shell

[v-visodadasi]

Hi @mvisser-nhb , Thanks for flagging this issue, we will investigate this issue and get back to you with some updates. Thanks!

[mvisser-nhb]

Thanks @v-visodadasi, let me know if you need anymore information or if MacOS is just not supported. I will try it on Windows next.

[v-sudkharat]

@mvisser-nhb, can you please follow steps mentioned here -#8717 (comment)
As, previously one of the cx was facing same issue.

[mvisser-nhb]

As mentioned in the issue I do have AWS cli already configured, so I am not sure what you want me to do extra?

[mvisser-nhb]

I think maybe the scripts don't work with AWS sso, as I do have a SSO_TOKEN in my ~/.aws/credentials

[v-sudkharat]

@mvisser-nhb, yes.
and want to understand, were exactly the error occurred? Is that after defining the log type or after defining the Assume role definition.
You can also share the log file over here which get generated in Logs folder of the extracted zip path.

Thanks!

[v-sudkharat]

@mvisser-nhb, waiting for the response. Thanks!

[mvisser-nhb]

Hi @v-sudkharat, these are the logs

"Time","Message","Severity"
"12-12-2024 14:22","Starting ConfigAwsConnector at: 12/12/2024 14:22:10","Information"
"12-12-2024 14:22","Log created: /Users/***/Downloads/AWS S3 Data Connector Scripts/ConfigAwsComToAzureCom/Logs/AwsS3-12121422.csv","Information"
"12-12-2024 14:22","To begin you will choose the AWS logs to configure.","Information"
"12-12-2024 14:22","Checking AWS CLI configuration...","Information"
"12-12-2024 14:22","Starting CloudTrail data connector configuration script","Verbose"
"12-12-2024 14:22","This script creates an Assume Role with minimal permissions to grant Azure Sentinel access to your logs in a designated S3 bucket & SQS of your choice, enable CloudTrail Logs, S3 bucket, SQS Queue, and S3 notifications.","Information"
"12-12-2024 14:22","Notes:","Information"
"12-12-2024 14:22","* You can find more information about the script in https://github.com/Azure/Azure-Sentinel/blob/master/DataConnectors/AWS-S3/README.md","Information"
"12-12-2024 14:22","* If a resource name(like: S3, Sqs, Kms) already exists, the script will use the available one and not create a new resource","Information"
"12-12-2024 14:22","Checking existing OIDC provider","Information"
"12-12-2024 14:22","Executing Set-RetryAction","Verbose"
"12-12-2024 14:22","Executing: aws sts get-caller-identity --query 'Account' --output text","Verbose"
"12-12-2024 14:22","751***","Verbose"
"12-12-2024 14:22","Executing: aws iam get-open-id-connect-provider --open-id-connect-provider-arn 'arn:aws:iam::751***:oidc-provider/sts.windows.net/33e01921-4d64-***/' 2>&1","Verbose"
"12-12-2024 14:22","{     ""Url"": ""sts.windows.net/33e01921-4d64-***/"",     ""ClientIDList"": [         ""api://1462b192-27f7-***""     ],     ""ThumbprintList"": [         ""626d44e704d1ceabe3bf0d53397464ac8080142c""     ],     ""CreateDate"": ""2024-11-28T10:08:11.083000+00:00"",     ""Tags"": [] }","Verbose"
"12-12-2024 14:22","OIDC provider already exists","Information"
"12-12-2024 14:22","Approved client IDs: api://1462b192-27f7-***","Information"
"12-12-2024 14:22","Client ID api://1462b192-27f7-*** is already approved","Information"
"12-12-2024 14:22","Assume role definition","Information"
"12-12-2024 14:22","Executing Set-RetryAction","Verbose"
"12-12-2024 14:23","Executing: aws iam get-role --role-name OIDC_***-azure-sentinel-role-1 2>&1| Out-Null","Verbose"
"12-12-2024 14:23","Using role name: OIDC_OIDC_***-azure-sentinel-role-1 with OIDC prefix because OpenID Connect authentication is being used.","Information"
"12-12-2024 14:23","You must specify the the Azure Sentinel Workspace ID. This is found in the Azure Sentinel portal.","Information"
"12-12-2024 14:25","Using Azure Sentinel Workspace ID: a4d79f2d-38c6-***","Information"
"12-12-2024 14:25","Executing: aws iam create-role --role-name OIDC_OIDC_***-azure-sentinel-role-1 --assume-role-policy-document {
            \""Version\"": \""2012-10-17\"",
            \""Statement\"": [
                {
                    \""Effect\"": \""Allow\"",
					\""Principal\"": {
						\""Federated\"": \""arn:aws:iam::751***:oidc-provider/sts.windows.net/33e01921-4d64-***/\""
					},
                    \""Action\"": \""sts:AssumeRoleWithWebIdentity\"",
					\""Condition\"": {
						\""StringEquals\"": {
							\""sts.windows.net/33e01921-4d64-***/:aud\"": \""api://1462b192-27f7-***\"",
							\""sts:RoleSessionName\"": \""MicrosoftSentinel_a4d79f2d-38c6-***\""
						}
					}
                }
            ]
        } --tags {\""Key\"": \""Operator\"", \""Value\"": \""Microsoft_Sentinel_Automation_Script\""} 2>&1","Verbose"
"12-12-2024 14:25","System.Management.Automation.RemoteException Error parsing parameter '--tags': Invalid JSON: Expecting property name enclosed in double quotes: line 1 column 3 (char 2) JSON received: [{\""Key\"": \""Operator\"", \""Value\"": \""Microsoft_Sentinel_Automation_Script\""}]","Verbose"
"12-12-2024 14:25","Retrying...","Information"
"12-12-2024 14:25","Executing: aws iam get-role --role-name OIDC_***-azure-sentinel-role-1 2>&1| Out-Null","Verbose"
"12-12-2024 14:25","Using role name: OIDC_OIDC_***-azure-sentinel-role-1 with OIDC prefix because OpenID Connect authentication is being used.","Information"
"12-12-2024 14:25","You must specify the the Azure Sentinel Workspace ID. This is found in the Azure Sentinel portal.","Information"
"12-12-2024 14:25","Using Azure Sentinel Workspace ID: a4d79f2d-38c6-***","Information"
"12-12-2024 14:25","Executing: aws iam create-role --role-name OIDC_OIDC_***-azure-sentinel-role-1 --assume-role-policy-document {
            \""Version\"": \""2012-10-17\"",
            \""Statement\"": [
                {
                    \""Effect\"": \""Allow\"",
					\""Principal\"": {
						\""Federated\"": \""arn:aws:iam::751***:oidc-provider/sts.windows.net/33e01921-4d64-***/\""
					},
                    \""Action\"": \""sts:AssumeRoleWithWebIdentity\"",
					\""Condition\"": {
						\""StringEquals\"": {
							\""sts.windows.net/33e01921-4d64-***/:aud\"": \""api://1462b192-27f7-***\"",
							\""sts:RoleSessionName\"": \""MicrosoftSentinel_a4d79f2d-38c6-***\""
						}
					}
                }
            ]
        } --tags {\""Key\"": \""Operator\"", \""Value\"": \""Microsoft_Sentinel_Automation_Script\""} 2>&1","Verbose"
"12-12-2024 14:25","System.Management.Automation.RemoteException Error parsing parameter '--tags': Invalid JSON: Expecting property name enclosed in double quotes: line 1 column 3 (char 2) JSON received: [{\""Key\"": \""Operator\"", \""Value\"": \""Microsoft_Sentinel_Automation_Script\""}]","Verbose"
"12-12-2024 14:25","Cannot bind argument to parameter 'Message' because it is null.","Error"
"12-12-2024 14:30","Executing: aws iam get-role --role-name ***-azure-sentinel-role-1 2>&1| Out-Null","Verbose"
"12-12-2024 14:31","Using role name: OIDC_***-azure-sentinel-role-1 with OIDC prefix because OpenID Connect authentication is being used.","Information"
"12-12-2024 14:31","You must specify the the Azure Sentinel Workspace ID. This is found in the Azure Sentinel portal.","Information"
"12-12-2024 14:31","Using Azure Sentinel Workspace ID: a4d79f2d-38c6-***","Information"
"12-12-2024 14:31","Executing: aws iam create-role --role-name OIDC_***-azure-sentinel-role-1 --assume-role-policy-document {
            \""Version\"": \""2012-10-17\"",
            \""Statement\"": [
                {
                    \""Effect\"": \""Allow\"",
					\""Principal\"": {
						\""Federated\"": \""arn:aws:iam::751***:oidc-provider/sts.windows.net/33e01921-4d64-4f8c-***/\""
					},
                    \""Action\"": \""sts:AssumeRoleWithWebIdentity\"",
					\""Condition\"": {
						\""StringEquals\"": {
							\""sts.windows.net/33e01921-4d64-4f8c-***/:aud\"": \""api://1462b192-27f7-***\"",
							\""sts:RoleSessionName\"": \""MicrosoftSentinel_a4d79f2d-38c6-***\""
						}
					}
                }
            ]
        } --tags {\""Key\"": \""Operator\"", \""Value\"": \""Microsoft_Sentinel_Automation_Script\""} 2>&1","Verbose"
"12-12-2024 14:31","System.Management.Automation.RemoteException Error parsing parameter '--tags': Invalid JSON: Expecting property name enclosed in double quotes: line 1 column 3 (char 2) JSON received: [{\""Key\"": \""Operator\"", \""Value\"": \""Microsoft_Sentinel_Automation_Script\""}]","Verbose"
"12-12-2024 14:31","Cannot bind argument to parameter 'Message' because it is null.","Error"
"12-12-2024 14:31","Action was unsuccessful after 3 attempts. Please review the errors and try again.","Error"

[v-sudkharat]

@mvisser-nhb, Thanks for sharing the log's, able to replicate the error which pasted here.
Actually, the issue occurs due to the -

1. The incorrect role which you have defined after the Log Type.
2. The defined role may not have the required roles and permissions to it.
   And also, could you please check for the required configuration has been correctly done in AWS side to get unblocked from the issue. Thanks!