search

JuliaCloud / AWS.jl

Julia interface to AWS
MIT License
159 stars 62 forks source link

Role info isnt available via the IMDS service #652

Closed a-cakir closed 1 year ago

a-cakir commented 1 year ago

When trying to assume a role from within a docker running as part of a CI job, I got the following error:

ERROR: HTTP.Exceptions.StatusError(404, "GET", "/latest/meta-data/iam/info", HTTP.Messages.Response:
"""
HTTP/1.1 404 Not Found
Content-Type: text/xml; charset=utf-8
Server: Microsoft-IIS/10.0
Date: Thu, 27 Jul 2023 23:04:16 GMT
Content-Length: 311

<?xml version="1.0" encoding="utf-8"?>
<Error xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema">
    <Code>ResourceNotFound</Code>
    <Message>The specified resource does not exist.</Message>
    <Details>'latest' isn't a valid resource name.</Details>
</Error>""")
Stacktrace:
  [1] (::HTTP.ConnectionRequest.var"#connections#4"{HTTP.ConnectionRequest.var"#connections#1#5"{HTTP.TimeoutRequest.var"#timeouts#3"{HTTP.TimeoutRequest.var"#timeouts#1#4"{HTTP.ExceptionRequest.var"#exceptions#2"{HTTP.ExceptionRequest.var"#exceptions#1#3"{typeof(HTTP.StreamRequest.streamlayer)}}}}}})(req::HTTP.Messages.Request; proxy::Nothing, socket_type::Type, socket_type_tls::Type, readtimeout::Int64, connect_timeout::Int64, logerrors::Bool, logtag::Nothing, kw::Base.Pairs{Symbol, Union{Nothing, Int64}, Tuple{Symbol, Symbol, Symbol}, NamedTuple{(:iofunction, :decompress, :verbose), Tuple{Nothing, Nothing, Int64}}})
    @ HTTP.ConnectionRequest ~/.julia/packages/HTTP/nn2yB/src/clientlayers/ConnectionRequest.jl:144
  [2] (::Base.var"#88#90"{Base.var"#88#89#91"{ExponentialBackOff, HTTP.RetryRequest.var"#2#5"{Int64, typeof(HTTP.RetryRequest.FALSE), HTTP.Messages.Request, Base.RefValue{Int64}}, HTTP.ConnectionRequest.var"#connections#4"{HTTP.ConnectionRequest.var"#connections#1#5"{HTTP.TimeoutRequest.var"#timeouts#3"{HTTP.TimeoutRequest.var"#timeouts#1#4"{HTTP.ExceptionRequest.var"#exceptions#2"{HTTP.ExceptionRequest.var"#exceptions#1#3"{typeof(HTTP.StreamRequest.streamlayer)}}}}}}}})(args::HTTP.Messages.Request; kwargs::Base.Pairs{Symbol, Union{Nothing, Int64}, NTuple{4, Symbol}, NamedTuple{(:iofunction, :decompress, :verbose, :connect_timeout), Tuple{Nothing, Nothing, Int64, Int64}}})
    @ Base ./error.jl:296
  [3] (::HTTP.RetryRequest.var"#manageretries#3"{HTTP.RetryRequest.var"#manageretries#1#4"{HTTP.ConnectionRequest.var"#connections#4"{HTTP.ConnectionRequest.var"#connections#1#5"{HTTP.TimeoutRequest.var"#timeouts#3"{HTTP.TimeoutRequest.var"#timeouts#1#4"{HTTP.ExceptionRequest.var"#exceptions#2"{HTTP.ExceptionRequest.var"#exceptions#1#3"{typeof(HTTP.StreamRequest.streamlayer)}}}}}}}})(req::HTTP.Messages.Request; retry::Bool, retries::Int64, retry_delays::ExponentialBackOff, retry_check::Function, retry_non_idempotent::Bool, kw::Base.Pairs{Symbol, Union{Nothing, Int64}, NTuple{4, Symbol}, NamedTuple{(:iofunction, :decompress, :verbose, :connect_timeout), Tuple{Nothing, Nothing, Int64, Int64}}})
    @ HTTP.RetryRequest 
...

Cannot provide an MVE as I am not able to reproduce this error on my ec2

omus commented 1 year ago

When running under GHA actions GitHub uses the same local-link address that AWS uses for the IMDS service. We previously captured all unknown exceptions from the IMDS service and returned nothing in cases such as this. It makes more sense to be selective on what errors we handle so that we don't ignore internal exceptions.

There are two ways we can solve this from what I can see:

  1. Update our IMDS submodule to capture HTTP 404 status exceptions and return nothing when using IMDS.get. We may want to do this even when we interact with the AWS IMDS service HTTP 404 exceptions may occur: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/instancedata-data-retrieval.html#instance-metadata-returns
  2. Handle HTTP 404 exception at the AWSCredentials level. Allows us to keep throwing 404 for other IMDS use cases.

Regardless of which option we choose end users shouldn't see these kinds os errors when getting credentials.