confd not able to retrieve credentials with IMDSv2 #857
Comments
|
Hey @bellackj you could give my fork of confd a shot. My guess is this is due to old library versions of Config'ed an instance to require the used of IMDSv2 ... Tested with the unmaintained version... Tested with the last release from my fork... |
|
Hello,
I pulled down the forked branch but now getting error:
Config.go:14:2 cannot find package “github.com/BurntSushi/toml” in any of: …
Do I need to clone the repo to a specific directory?
jasonbellack
AWS Professional Services – Global Account Delivery
Cloud Infrastructure Architect
Charleston, SC, United States
E: ***@***.***> ***@***.*** | M: +1.843.737.2164
Thoughts on our interaction? Provide feedback <https://feedback.aws.amazon.com/?ea=bellackj&fn=Jason&ln=Bellack> here.
From: Britt Treece ***@***.***>
Sent: Tuesday, February 22, 2022 8:45 PM
To: kelseyhightower/confd ***@***.***>
Cc: Bellack, Jason ***@***.***>; Mention ***@***.***>
Subject: Re: [kelseyhightower/confd] confd not able to retrieve credentials with IMDSv2 (Issue #857)
Hey @bellackj <https://github.com/bellackj> you could give my fork of confd <https://github.com/abtreece/confd> a shot. My guess is this is due to old library versions of aws-sdk-go in this version.
Config'ed an instance to require the used of IMDSv2 ...
***@***.***:~$ aws ec2 modify-instance-metadata-options --instance-id i-0a356f51af7f5a26a --http-tokens required --http-endpoint enabled
{
"InstanceId": "i-0a356f51af7f5a26a",
"InstanceMetadataOptions": {
"State": "pending",
"HttpTokens": "required",
"HttpPutResponseHopLimit": 1,
"HttpEndpoint": "enabled"
}
}
Tested with the unmaintained version...
***@***.***:~$ ./confd-0.16.0-linux-amd64 --version
confd 0.16.0 (Git SHA: 7217b0c, Go Version: go1.10.2)
***@***.***:~$ ./confd-0.16.0-linux-amd64 --onetime --interval 5 --backend ssm
2022-02-23T01:34:10Z ip-10-20-4-149 ./confd-0.16.0-linux-amd64[1212]: INFO Backend set to ssm
2022-02-23T01:34:10Z ip-10-20-4-149 ./confd-0.16.0-linux-amd64[1212]: INFO Starting confd
2022-02-23T01:34:10Z ip-10-20-4-149 ./confd-0.16.0-linux-amd64[1212]: INFO Backend source(s) set to
2022-02-23T01:34:10Z ip-10-20-4-149 ./confd-0.16.0-linux-amd64[1212]: FATAL NoCredentialProviders: no valid providers in chain. Deprecated.
For verbose messaging see aws.Config.CredentialsChainVerboseErrors
Tested with the last release from my fork...
***@***.***:~$ confd --version
confd 0.18.4 (Git SHA: e230733, Go Version: go1.16.4)
$ confd --onetime --log-level debug --interval 5 --backend ssm
2022-02-23T01:35:32Z ip-10-20-4-149 confd[1221]: INFO Backend set to ssm
2022-02-23T01:35:32Z ip-10-20-4-149 confd[1221]: INFO Starting confd
2022-02-23T01:35:32Z ip-10-20-4-149 confd[1221]: INFO Backend source(s) set to
2022-02-23T01:35:32Z ip-10-20-4-149 confd[1221]: DEBUG Region: us-east-1
2022-02-23T01:35:32Z ip-10-20-4-149 confd[1221]: DEBUG Loading template resources from confdir /etc/confd
2022-02-23T01:35:32Z ip-10-20-4-149 confd[1221]: DEBUG Found template: /etc/confd/conf.d/basic.toml
2022-02-23T01:35:32Z ip-10-20-4-149 confd[1221]: DEBUG Loading template resource from /etc/confd/conf.d/basic.toml
2022-02-23T01:35:32Z ip-10-20-4-149 confd[1221]: DEBUG Retrieving keys from store
2022-02-23T01:35:32Z ip-10-20-4-149 confd[1221]: DEBUG Key prefix set to /
2022-02-23T01:35:32Z ip-10-20-4-149 confd[1221]: DEBUG Processing key=/database/host
2022-02-23T01:35:32Z ip-10-20-4-149 confd[1221]: DEBUG Processing key=/database/password
2022-02-23T01:35:32Z ip-10-20-4-149 confd[1221]: DEBUG Processing key=/database/port
2022-02-23T01:35:32Z ip-10-20-4-149 confd[1221]: DEBUG Processing key=/database/username
2022-02-23T01:35:32Z ip-10-20-4-149 confd[1221]: DEBUG Got the following map from store: map[/database/host:127.0.0.1 ***@***.*** /database/port:3306 /database/username:confd]
2022-02-23T01:35:32Z ip-10-20-4-149 confd[1221]: DEBUG Using source template /etc/confd/templates/basic.conf.tmpl
2022-02-23T01:35:32Z ip-10-20-4-149 confd[1221]: DEBUG Compiling source template /etc/confd/templates/basic.conf.tmpl
2022-02-23T01:35:32Z ip-10-20-4-149 confd[1221]: DEBUG Comparing candidate config to /tmp/confd-basic-test.conf
2022-02-23T01:35:32Z ip-10-20-4-149 confd[1221]: DEBUG Target config /tmp/confd-basic-test.conf in sync
—
Reply to this email directly, view it on GitHub <#857 (comment)> , or unsubscribe <https://github.com/notifications/unsubscribe-auth/AOC2MQY43AA2THU6DIXJV6LU4Q3ZPANCNFSM5OPLIYNQ> .
Triage notifications on the go with GitHub Mobile for iOS <https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675> or Android <https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub> .
You are receiving this because you were mentioned.Message ID: ***@***.***>
|
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Hello. I am unable to retrieve aws credentials associated with my EC2 instance Role. I believe this is due to confd using an http GET request of the instance metadata. IMDSv2 requires an http PUT request. Is there a solution for using cond with IMDSv2?
The text was updated successfully, but these errors were encountered: