Fix IAM issue when using mock credential provider #5014
Conversation
Example: Hologram (by adroll) does not implement all the handlers on http://169.254.169.254/ instead it only responds to the IAM related urls, such as http://169.254.169.254/latest/meta-data/iam/security-credentials/ Therefore change it to be the url we connect.
|
@akazakov I have also made Hologram mimic the behaviour terraform is expecting here AdRoll/hologram#71 |
|
@ikalinin thanks! |
|
@radeksimko Please let me know if I need to do something here to help this get merged. |
|
cc @catsby Given that hologram has made this change, this isn't as important anymore, but I'm still trying to understand your motivation for this: What other things do you expect to be listening on an obscure link-local/unroutable IP address? Is this intended as a GCE vs. EC2 check? It seems unlikely that one would find anything else that happens to be listening on that IP:port that also responds sensibly to the |
|
Hi all,
I'd say potentially some things may listen on the APIPA range if you're running terraform off your laptop as the network conditions change often. The current check is likely to change, as AWS said the header we're checking is not documented and may not work in the future. However I'm still in favour of some kind of checks as well as @catsby is (I believe):
I think the recently suggested way of checking in the linked issue would probably make it slightly easier for Hologram to implement: as far as I understand the docs we could just check that {
"devpayProductCodes" : null,
"availabilityZone" : "us-east-1d",
"privateIp" : "10.158.112.84",
"version" : "2010-08-31",
"region" : "us-east-1",
"instanceId" : "i-3d168483",
"billingProducts" : null,
"instanceType" : "t1.micro",
"accountId" : "123456789012",
"pendingTime" : "2015-11-19T16:32:11Z",
"imageId" : "ami-5fb8c835",
"kernelId" : "aki-919dcaf8",
"ramdiskId" : null,
"architecture" : "x86_64"
}I have also refactored the auth code over in #5030 - it is currently missing the checks - effectively includes the change in this PR, but as I mentioned, I'd like to put some checks back while keeping the code clean (e.g. not having the metadata API endpoint URL hardcoded, but relying on the SDK instead). If AWS says they don't want that built into the SDK, I'm likely going to add such check into #5030 . |
|
I'm currently working on the mentioned verification logic in upstream (AWS Go SDK) and I was re-reading my code in #5030 and I think we can come up with a compromise. By default Terraform will keep verifying authenticity of EC2 metadata endpoint, but will also allow the user to specify the endpoint URL via ENV variable What do you think of the proposed solution? |
radeksimko
added
the
waiting-response
radeksimko
changed the title
|
Hi all, The refactored AWS credentials provider isn't checking headers anymore. It instead uses standard way of verifying EC2 metadata endpoint as recommended by AWS: This method seems to be supported by Hologram, so no changes should be necessary on that side either - the next release Thank you very much for bringing our attention to this. Also see #6535 |
radeksimko
removed
the
waiting-response
|
I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further. |
ghost
locked and limited conversation to collaborators
Example: Hologram (by adroll) does not implement all the handlers on
http://169.254.169.254/
instead it only responds to the IAM related urls, such as
http://169.254.169.254/latest/meta-data/iam/security-credentials/
Therefore change it to be the url we connect to.
To determine if the IAM provider is available we simply check for no error on GET for that url.