Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ImdsCredentialsProvider does not follow redirects #1303

Closed
argggh opened this issue May 7, 2024 · 4 comments
Closed

ImdsCredentialsProvider does not follow redirects #1303

argggh opened this issue May 7, 2024 · 4 comments
Labels
bug This issue is a bug.

Comments

@argggh
Copy link
Contributor

argggh commented May 7, 2024

Describe the bug

When running under k8s and using kiam to proxy IAM metadata requests, requests towards /latest/meta-data/iam/security-credentials result in HTTP 301 responses with redirects to /latest/meta-data/iam/security-credentials/ (trailing slash). This is different from the behavior when accessing EC2 metadata directly, where both variants result in HTTP 200. Arguably this should be addressed kiam side, but I don't think any development is done in that project at this point. It seems the Rust SDK has chosen to address this by simply always appending the final slash: awslabs/aws-sdk-rust#560

Expected behavior

Instantiating ImdsCredentialsProvider() should be able to discover the IAM/kiam provided role associated with the running context under k8s/kiam.

Current behavior

When no profileOverride is supplied to ImdsCredentialsProvider, it fails with

Suppressed: aws.smithy.kotlin.runtime.auth.awscredentials.CredentialsProviderException: failed to load instance profile
	at aws.sdk.kotlin.runtime.auth.credentials.ImdsCredentialsProvider.resolve(ImdsCredentialsProvider.kt:83)
	at aws.sdk.kotlin.runtime.auth.credentials.ImdsCredentialsProvider$resolve$1.invokeSuspend(ImdsCredentialsProvider.kt)
	...
Caused by: aws.sdk.kotlin.runtime.config.imds.EC2MetadataError: error retrieving instance metadata
	at aws.sdk.kotlin.runtime.config.imds.ImdsClient$get$op$1$1.deserialize(ImdsClient.kt:117)

Steps to Reproduce

Instantiating ImdsCredentialsProvider under k8s/kiam.

Possible Solution

Append terminating slash to URL used for profile discovery in loadProfile.

Context

No response

AWS Kotlin SDK version used

1.1.1, relevant code appears unchanged up until 1.2.6.

Platform (JVM/JS/Native)

JVM

Operating System and version

Linux 6.1.85
@argggh argggh added bug This issue is a bug. needs-triage This issue or PR still needs to be triaged. labels May 7, 2024
@lauzadis
Copy link
Member

lauzadis commented May 30, 2024
edited
Loading

Thanks for the report! I've opened a PR to fix this.

@lauzadis lauzadis removed the needs-triage This issue or PR still needs to be triaged. label May 30, 2024
@lauzadis
Copy link
Member

The PR has been merged and changes will be present in the next release v1.2.24, scheduled for tomorrow.

@github-actions GitHub Actions
Copy link

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see.
If you need more assistance, please either tag a team member or open a new issue that references this one.
If you wish to keep having a conversation with other community members under this issue feel free to do so.

@argggh
Copy link
Contributor Author

argggh commented Jun 3, 2024

@lauzadis Thank you so much for the extremely efficient turnaround on this issue!

@argggh argggh mentioned this issue Aug 7, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug This issue is a bug.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@argggh @lauzadis