New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Connecting to SQS in docker after assume role/kubernetes IAM role not working #2496
Comments
@eldarnegrinperion - Thank you for your post. It looks like this issue might be related to your network policies for the particular container. https://kubernetes.io/docs/concepts/services-networking/network-policies/ This stack overflow post might help in debugging the issue: |
no special configuration. it happens in my local environment as well - when i run the code directly (virtualenv) all is good. |
@eldarnegrinperion - Thanks for responding. I am not able to reproduce the issue with the Dockerfile you provided. I am assuming you are running this docker container in an ec2 instance as ec2 instance metadata can't be used from your local environment. |
Greetings! It looks like this issue hasn’t been active in longer than a week. We encourage you to check if this is still an issue in the latest release. Because it has been longer than a week since the last update on this, and in the absence of more information, we will be closing this issue soon. If you find that this is still a problem, please feel free to provide a comment or add an upvote to prevent automatic closure, or if the issue is already closed, please feel free to open a new one. |
sorry i missed your response. i can't even load the docker as it fails and exits as the log above i sent. i will try to run the docker with just an endless loop so i can get in exec mode and do the CURL and update results here. |
this is what i get when exec CURL to the above mentioned url from within the docker on my machine.
|
and here's my code, pretty simple:
` |
Sorry for late reply. Here the problem is that you are trying to use an assume role from the docker container but when boto3 is not able to find that role it is trying to use ec2 instance metadata service and then it is giving you error. Have you tried by adding the credential file to your docker container root folder and see if that works for you ? 1. docker images
2. docker run -it -d <your image id>
3. docker ps # you will get container id for you image
4. docker attach <container id>
after running this command you will get something like this:
root@a1bf5930c4ce:/#
then execute this code
root@a1bf5930c4ce:/# python
Python 2.7.17 (default, Apr 15 2020, 17:20:14)
[GCC 7.5.0] on linux2
Type "help", "copyright", "credits" or "license" for more information.
>>> import boto3
>>>boto3.set_stream_logger('')
>>> client = boto3.client('sqs') If you are getting the same credentials error can you add your ~/.aws folder to the root folder and again run these command ? |
I will check and get back here. One note though: I don't understand why for S3 it works ok and for SQS not? |
still no good.
|
@eldarnegrinperion - Are you running this docker inside a ec2 instance or from your local environment ? |
i tried two configurations:
|
When you are running in local environment did you add your credentials file to your docker container root folder ? Are you also getting the same error even after adding the credentials file to your docker container root folder ? |
yes i am bringing it in, /.aws/credentials + /.aws/config, and still get the error my config file holds: |
if the .aws folder wasn't in the correct folder (i.e /.aws | /home/ubuntu/.aws | /home/airflow/.aws depending on image) nothing works - S3 and all other services as well. |
In this case, were you still using an instance profile for credentials? or were you using the credentials file? Would you be able to share what your config file looks like? |
it's here above :) |
Sorry for missing that. It's quite a long thread 😄. The only thing I see that's out of the ordinary is declaring a region in the credentials file (usually only specified in the config file), but I've tested it and that seems to work fine. As an alternative, have you tried setting the |
with AWS default region it works fine. |
Hi @eldarnegrinperion, this issue was recently assigned to me so I wanted to check in. Is this still an issue, and if so do you have any updates as far as what you’ve tried doing? |
Greetings! It looks like this issue hasn’t been active in longer than five days. We encourage you to check if this is still an issue in the latest release. In the absence of more information, we will be closing this issue soon. If you find that this is still a problem, please feel free to provide a comment or upvote with a reaction on the initial post to prevent automatic closure. If the issue is already closed, please feel free to open a new one. |
it's such an old issue, but still exists. eventually it is up to you guys to decide if you want to solve it. thanks for your time :) |
I took your Dockerfile and can reproduce your error. I've determined the error is indeed caused by missing AWS configuration and credentials - they are not in the right place. The location of the AWS config and credentials file will change depending on the Docker container image you're using, so they'll need to be moved to the home directory of the user who is running the command. When using the base container image
If I do not copy them, or copy them to There was some confusion as to why you seemed to get different behavior depending on which service client you were using - S3 or SQS. You can instantiate an S3 client without a region because it assumes you would be using the global region, so you will not receive a I've ruled out any reason why |
|
Please fill out the sections below to help us address your issue.
What issue did you see ?
logs-from-kubernetes.txt
when inside docker, can't access role assumed on computer/iam role on kubernetes
from my computer it works fine, it finds the credential and config files.
when creating s3 client all works fine. this happens only in sqs client..
Steps to reproduce
If you have a runnable example, please include it as a snippet or link to a repository/gist for larger code examples.
simple python (3.7.4) code, boto3 (1.14.2), just creating a client for sqs.
if __name__ == '__main__': boto3.set_stream_logger('') sqs = boto3.client('sqs')
Debug logs
Full stack trace by adding
boto3.set_stream_logger('')
to your code.here is local docker, and attached kubernetes logs file
The text was updated successfully, but these errors were encountered: