AWS GuardDuty Event Collector - Error: Unable to locate credentials

AWS GuardDuty Event Collector - Error: Unable to locate credentials

390
Created On 10/02/25 16:45 PM - Last Modified 10/02/25 21:28 PM


Symptom


• AWS GuardDuty Event Collector (Settings -> Configurations -> Data Sources) integration failing due to authentication issues when using Role ARN:

Got an error entry for fetch incidents [Failed to execute fetch-events command in AWSGuardDutyEventCollector. Error: Unable to locate credentials] (66)

 

• Testing the connection also fails with the following error: Failed to execute test-module command in AWSGuardDutyEventCollector. Error: Unable to locate credentials (85)

Environment


Cortex XSIAM
Cortex XSOAR

Cause


Integration is failing due to no engine being selected for the integration when using Role ARN authentication. Where a role is configured, but the integration is only running on the server (this means there's no EC2 metadata from which to pull credentials) error will be present and the integration needs to be ran within the AWS account. The container which runs the integration by default is a PANW container and these aren't hosted in AWS. 

Resolution


Configure the engine to run within the AWS account when using Role ARN authentication. Please refer to the documentation for more details about this authentication method and how to configure it: https://xsoar.pan.dev/docs/reference/articles/aws-integrations---authentication#using-sts-with-aws-integrations 

Additional Information


If deploying engine in AWS is not possible, customer may use Access Key and Secret Key authentication option instead: https://xsoar.pan.dev/docs/reference/articles/aws-integrations---authentication 
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA1Ki000000TO08KAG&lang=en_US&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail