"no EC2 instance role found" due to incorrect iamSecurityCredsPath
#351
Labels
bug
This issue is a bug.
Comments
|
This is related to #198 but at some point the redirect stopped getting followed, making this a showstopper issue. |
|
This is massive, it effectively makes aws-sdk-go-v2 unusable for anyone on kubernetes. |
|
Thanks for reporting this issue. I created #355 to track the log option not being applied to the credential provider derived from LoadDefaultAWSConfig. Reviewing the commit history, it looks like #315 would of disabled following the redirect behavior. I think a solution to this issue is to allow redirects for GET methods. EC2 Instance Metadata service is a special case where a redirect could be used. I don't think redirects are valid to follow for any other AWS service due to request signing. With that said the SDK's #198 needs to be fixed as well to prevent the redirect in the first case. |
jasdel
added a commit
to jasdel/aws-sdk-go-v2
that referenced
this issue
Aug 16, 2019
Fixes the EC2 Instance Metadata Service client to no longer squash the trailing slash when requesting instance metadata. Related to aws#351
jasdel
added a commit
to jasdel/aws-sdk-go-v2
that referenced
this issue
Aug 16, 2019
Fixes the iamSecurityCredsPath var to include a trailing slash preventing redirects when making requests to the EC2 Instance Metadata service. Fix aws#351
jasdel
added a commit
to jasdel/aws-sdk-go-v2
that referenced
this issue
Aug 16, 2019
Fixes the EC2 Instance Metadata Service client to no longer squash the trailing slash when requesting instance metadata. Related to aws#351
jasdel
added a commit
to jasdel/aws-sdk-go-v2
that referenced
this issue
Aug 16, 2019
Fixes the iamSecurityCredsPath var to include a trailing slash preventing redirects when making requests to the EC2 Instance Metadata service. Fix aws#351
jasdel
added a commit
to jasdel/aws-sdk-go-v2
that referenced
this issue
Aug 16, 2019
Fixes the EC2 Instance Metadata Service client to no longer squash the trailing slash when requesting instance metadata. Related to aws#351
jasdel
added a commit
to jasdel/aws-sdk-go-v2
that referenced
this issue
Aug 16, 2019
Fixes the iamSecurityCredsPath var to include a trailing slash preventing redirects when making requests to the EC2 Instance Metadata service. Fix aws#351
jasdel
added a commit
that referenced
this issue
Aug 20, 2019
…356) Fixes the EC2 Instance Metadata Service client to no longer squash the trailing slash when requesting instance metadata. Also, fixes the iamSecurityCredsPath var to include a trailing slash preventing redirects when making requests to the EC2 Instance Metadata service. Fix #351 Related to #351
jasdel
added a commit
to jasdel/aws-sdk-go-v2
that referenced
this issue
Aug 22, 2019
Services === * Synced the V2 SDK with latest AWS service API definitions. * Fixes [aws#359](aws#359) SDK Features === SDK Enhancements === * `private/protocol`: Add support for TimestampFormat in protocols ([aws#358](aws#358)) * Adds support for the timestampForamt API model trait to the V2 SDK. The SDK will now generate API client parameters with the correct time format for APIs modeled with custom time stamp formats specified. * Fixes [aws#202](aws#202) * Fixes [aws#286](aws#286) * `aws`: Add example for custom HTTP client idle connection options ([aws#350](aws#350)) * Adds example to the SDK for configuring custom HTTP client idle connection keep alive options. SDK Bugs === * `private/model/api`: Fix API doc being generated with wrong value ([aws#359](aws#359)) * Fixes the SDK's generated API documentation for structure member being generated with the wrong documentation value when the member was included multiple times in the model doc-2.json file, but under different types. * V2 port of to v1 [aws/aws-sdk-go#2748](aws/aws-sdk-go#2748) * `aws/ec2rolecreds`: Fix security creds path to include trailing slash ([aws#356](aws#356)) * Fixes the iamSecurityCredsPath var to include a trailing slash preventing redirects when making requests to the EC2 Instance Metadata service. * Fixes [aws#351](aws#351) * `service/dynamodb/expression`: Improved reporting of bad key conditions ([aws#360](aws#360)) * Improved error reporting when invalid key conditions are constructed using KeyConditionBuilder
jasdel
added a commit
that referenced
this issue
Aug 23, 2019
Services === * Synced the V2 SDK with latest AWS service API definitions. * Fixes [#359](#359) SDK Features === SDK Enhancements === * `private/protocol`: Add support for TimestampFormat in protocols ([#358](#358)) * Adds support for the timestampForamt API model trait to the V2 SDK. The SDK will now generate API client parameters with the correct time format for APIs modeled with custom time stamp formats specified. * Fixes [#202](#202) * Fixes [#286](#286) * `aws`: Add example for custom HTTP client idle connection options ([#350](#350)) * Adds example to the SDK for configuring custom HTTP client idle connection keep alive options. SDK Bugs === * `private/model/api`: Fix API doc being generated with wrong value ([#359](#359)) * Fixes the SDK's generated API documentation for structure member being generated with the wrong documentation value when the member was included multiple times in the model doc-2.json file, but under different types. * V2 port of to v1 [aws/aws-sdk-go#2748](aws/aws-sdk-go#2748) * `aws/ec2rolecreds`: Fix security creds path to include trailing slash ([#356](#356)) * Fixes the iamSecurityCredsPath var to include a trailing slash preventing redirects when making requests to the EC2 Instance Metadata service. * Fixes [#351](#351) * `service/dynamodb/expression`: Improved reporting of bad key conditions ([#360](#360)) * Improved error reporting when invalid key conditions are constructed using KeyConditionBuilder
|
I concur with @CannibalVox. This is failing for my app operating from within an EKS node running on fargate. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Version of AWS SDK for Go?
# github.com/aws/aws-sdk-go-v2 v0.10.0Version of Go (
go version)?go1.11.5What issue did you see?
Attempting to run something equivalent to the README.md example:
Steps to reproduce
Reproduction requires an EC2 instance where EC2ws returns a 301 for a GET of
http://169.254.169.254/latest/meta-data/iam/security-credentials(without trailing slash) with a with-trailing-slash Location in the 301. On most instances I have checked, except this one particular t2.xlarge in us-west-2, that GET returns the listing of profiles instead of the 301 redirect.There is no proxy in front of EC2ws on this instance. This is in-the-wild EC2ws behavior that aws-sdk-go-v2 needs to handle.
Related papercuts
While debugging this, none of the obvious approaches to get logging from EC2RoleProvider worked:
Setting the LogLevel on the Config returned by LoadDefaultAWSConfig did not work.
This produced no output.
Passing the log level to LoadDefaultAWSConfig did not work.
This also produced no output.
At least one of the above approaches should have resulted in EC2RoleProvider logging its requests. I had to resort to editing a vendored aws-sdk-go-v2 (modifying aws.NewClient to always set the LogLevel, ignoring the config) in order to get debug logging from an EC2RoleProvider created by external.LoadDefaultAWSConfig—that's not reasonable.
The text was updated successfully, but these errors were encountered: