Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Empty Expiration #23

Closed
sgwozdz opened this issue Sep 4, 2019 · 3 comments
Closed

Empty Expiration #23

sgwozdz opened this issue Sep 4, 2019 · 3 comments
Assignees
@PettitWesley
Labels
bug Something isn't working

Comments

@sgwozdz
Copy link

sgwozdz commented Sep 4, 2019

I have some issues with setting it up correctly. Credentials are in place but Expiration is always empty and exceptions are thrown because of that.
I'm trying to use this image for the most basic scenario to debug application which uses dynamodb.

I've tried to add manually expiration to credentials file but didn't work.

Example response from /creds:
{ "AccessKeyId": "not empty", "Expiration": "", "RoleArn": "", "SecretAccessKey": "not empty", "Token": "not empty" }
@PettitWesley
Copy link
Contributor

@sgwozdz This happens when you're using the /creds path for temporary credentials and the local endpoints container itself is running using temporary credentials.

Local Container Endpoints supports 2 methods to retrieve credentials:

  1. Temporary credentials from /creds. This path has 2 cases.
    a) The local container endpoints container was given non-temporary credentials. In this case, it makes a call to STS to get a temporary session based on the current non-temporary credentials.
    b) The local container endpoints container was given temporary credentials. In this case, it is not allowed to make a call to STS to get another set of temporary creds. So instead it just returns the current set of temporary credentials that it is using. However, it does not know when these creds will expire, so it can not set the expiration. You can see the code here: https://github.com/awslabs/amazon-ecs-local-container-endpoints/blob/master/local-container-endpoints/handlers/credentials_handler.go#L185
  2. Temporary credentials from an IAM role via /role/<role name>.

So the fix is to change the set of base credentials which you are giving the local endpoints container. Can you give it a set of permanent credentials?

If you need more help, can you please give me more information on how you are running local container endpoints, where it gets its credentials, your config, etc.

@PettitWesley PettitWesley self-assigned this Sep 9, 2019
@PettitWesley PettitWesley added response-requested Further information is requested bug Something isn't working and removed response-requested Further information is requested labels Sep 9, 2019
@PettitWesley
Copy link
Contributor

Also, can you give us more information about the exceptions you're seeing with dynamo?

I'm marking this as a bug because you said it broke your workflow. However, because of what I described above this would be difficult to fix. The only solution is probably to set a fake expiration on the credentials response.

@hencrice
Copy link
Contributor

Closed due to lack of activity.

@dacut dacut mentioned this issue Oct 10, 2019
Closed
@PettitWesley PettitWesley mentioned this issue Jan 10, 2020
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@PettitWesley PettitWesley

Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@hencrice @sgwozdz @PettitWesley