-
-
Notifications
You must be signed in to change notification settings - Fork 227
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
EC2 credentials discovery fails (instance-data host gone?) #271
Comments
That is concerning. The Which region and instance type are you encountering this issue on? |
ap-southeast-2, t2.small Is there a reason you can't just use this:
like you do in all the other calls? |
Because it relies on name resolution failure, instead of a timeout. If In the interim, if you're deploying to EC2 I'd suggest using |
Ah, thanks for the explanation, that makes good sense. And thanks for the workaround, it covers my use case since I don't need to deploy this multi-region. If I think of any ideas for quick, robust way to implement |
I just ran into this same issue. I would suggest not worrying about the overloaded host issue so much unless you have good reason to. My reasoning is that generally finding credentials is done at startup. If the host is already overloaded and you start a new process you are probably in for trouble already. |
Another issue with timeout is after searching for relevant environment variables or On a development machine that incorrectly sets environment or credential information, failure will always block for the timeout length. |
I'm going to share some information here from a colleague of mine who discovered what is likely the root cause and one possible solution: It appears |
@brendanhay Thanks for the explanation, I was wondering why |
I'm having some trouble with this when running on the ec2 instance.
Is there some way to do this when the role name is not known?
|
@AlistairB did you check whether Note that, contrary to what the documentation suggests, However, you can find out the role at runtime (and before initializing your |
@kim Thanks for the comment. Didn't realise it will still run the isEC2 logic. Yes Good point, I will manually hit the metadata endpoint to retrieve the role and create env with |
You can just create an entry in your /etc/hosts for instance-data to the metadata ip, ie, 169.254.169.254, and it should just work. You don't have to go fiddling with the DNS for your whole VPC. That's how we're working around this issue for now. |
This comment has been minimized.
This comment has been minimized.
Just a note that according to AWS, instance-data is an undocumented feature and shouldn't be relied upon. |
@koterpillar did you want to put a different link in your reply probably? |
You are right, here is a reply from an AWS employee about this instead. |
@brendanhay we are also impacted by this issue. These are the only officially recognized ways to identify an EC2 instance: None of them is ideal, each is a compromise (accuracy - false positive scenario / false negative scenarios, availability/dependencies, forward-compatibility). CC @amarpotghan |
I had the same issue I believe is better to follow the AWS boto3 credentials chain, because boto3 did not fail in the same situation:
|
@realdimas I've tested your solution, If you are using docker, like me, it will fail |
Possible workarounds:
|
Too gnarly for 2.0. Someone will need to poke around on a bunch of instances (PV, HVM, Amazon Linux, other distros) and see whether we can reliably get a system UUID without needing root. If we could determine that easily and quickly, then we could make a query against |
There is some prior work on the general question "how do we know if we're on an EC2 instance, and how can we be sure of that?" 1 provides a pretty thorough review of options. There is also AWS' doc at 2 which basically recommends hitting the instance meta-data url and inspect the instance identity documents 3. The document provides a few parameters that could be useful for this, and the document is signed, so it can be verified. WRT timeouts for non-EC2, it might be useful to make that timeout configurable, or disable this check completely (empower users with a method for overrides). |
I'm trying to use Discover for credentials from on an AWS EC2 instance and it's throwing this exception:
"MissingFileError \"/root/.aws/credentials\"
However I've had a look at the code that's doing this and this function seems like Amazon might have broken a dependency.
https://github.com/brendanhay/amazonka/blob/develop/amazonka/src/Network/AWS/EC2/Metadata.hs#L282
When I try to run this via ssh on my EC2 instance I get the following:
but if I try the following it works:
I couldn't find anything on AWS's docs about them removing that hostname. What do you think?
The text was updated successfully, but these errors were encountered: