search

Netflix / denominator

Portably control DNS clouds using java or bash
Apache License 2.0
580 stars 110 forks source link

denominator asking credentials for Amazon EC2 IAM profile based node #255

Closed vigith closed 9 years ago

vigith commented 11 years ago

In the lastest version (4.3.3) the denominator binary is asking for credentials for an IAM profile based node which wasn't the case on older version.

New Version

adm1@packages$ ./denominator-cli version Denominator 4.3.3 Java version: 1.6.0_24

adm1@packages$ ./denominator-cli -p route53 record -z prod.example.net. replace -d 4.3.2.1 --type A --name foobar.prod.example.net --ttl 300 ;; in zone prod.example.net. replacing rrset foobar.prod.example.net A with values: [{address=4.3.2.1}] and ttl 300 ;; error: no credentials supplied. route53 requires one of the following forms: when type is accessKey: accessKey,secretKey; session: accessKey,secretKey,sessionToken

Old Version

adm1@packages$ /usr/local/bin/denominator-cli version Denominator 1.2.1-SNAPSHOT Java version: 1.6.0_24

adm1@packages$ /usr/local/bin/denominator-cli -p route53 record -z prod.example.net. replace -d 1.2.3.4 --type A --name foobar.prod.example.net --ttl 300 ;; in zone prod.example.net. replacing rrset foobar.prod.example.net A with values: [{address=1.2.3.4}] and ttl 300 ;; ok

codefromthecrypt commented 11 years ago

just some hints as I can't dig further today

that error message is generated here: https://github.com/Netflix/denominator/blob/master/core/src/main/java/denominator/CredentialsConfiguration.java

possibly originating from https://github.com/Netflix/denominator/blob/master/core/src/main/java/denominator/Denominator.java line 92

jbouse commented 10 years ago

I can confirm the same behavior with 4.3.3. Testing on various previous released versions shows that the break occurs with 3.7.0 as all versions I tested between 1.3.0 and 3.6.0 worked but any version from 3.7.0 fails. I haven't attempted to bisect the commits between 3.6.0 and 3.7.0 releases to find exactly where the break was introduced though.

codefromthecrypt commented 9 years ago

crazy latency, but I plan to spend a bit of time in denominator. ping back if you'd still like this addressed!

vigith commented 9 years ago

Yes please :-)

On Tue, Jan 27, 2015 at 10:10 PM, Adrian Cole notifications@github.com wrote:

crazy latency, but I plan to spend a bit of time in denominator. ping back if you'd still like this addressed!

Reply to this email directly or view it on GitHub https://github.com/Netflix/denominator/issues/255#issuecomment-71786193.

regards, vigith maurice

jbouse commented 9 years ago

This is actually a key feature in being able to fully utilize denominator along with other AWS utilities and not have to worry about configuring credentials. You already are doing this when you define the IAM role for the instance that you're going to be running denominator from. If every app is requiring you to configure credentials it becomes a heavy handed burden that is prone to errors.

The other advantage is that that IAM role credentials rotate which adds to a better security footprint on your AWS cloud deployment.

codefromthecrypt commented 9 years ago

I will make sure this works before cutting 4.4