search

aws / aws-sdk-java-v2

The official AWS SDK for Java - Version 2
Apache License 2.0
2.21k stars 854 forks source link

Metadata Service call does not support Proxy #1830

Open sybeck2k opened 4 years ago

sybeck2k commented 4 years ago

Describe the bug

The EC2 Metadata service API call does not allow for configuration of a Proxy. This is required for example for Kube2Iam to work in Proxy mode.

Expected Behavior

The ConnectionUtils should be able to support a proxy - ideally should be replaced with the standard ApacheHttpClient.

Current Behavior

Configuring a Proxy in ApacheHttpClient does not affect ConnectionUtils:

2020-05-13 11:05:57,971 main DEBUG LoggerContext[name=77556fd, org.apache.logging.log4j.core.LoggerContext@f1da57d] started OK.
2020-05-13 11:05:58 [main] DEBUG software.amazon.awssdk.regions.providers.AwsRegionProviderChain:57 - Unable to load region from software.amazon.awssdk.regions.providers.SystemSettingsRegionProvider@89c10b7:Unable to load region from system settings. Region must be specified either via environment variable (AWS_REGION) or  system property (aws.region).
2020-05-13 11:05:58 [main] DEBUG software.amazon.awssdk.http.apache.ApacheHttpClient:84 - Configuring Proxy. Proxy Host: 10.0.0.1
Exception in thread "main" software.amazon.awssdk.core.exception.SdkClientException: Unable to load credentials from service endpoint.
    at software.amazon.awssdk.core.exception.SdkClientException$BuilderImpl.build(SdkClientException.java:98)
    at software.amazon.awssdk.auth.credentials.HttpCredentialsProvider.refreshCredentials(HttpCredentialsProvider.java:110)
    at software.amazon.awssdk.utils.cache.CachedSupplier.refreshCache(CachedSupplier.java:132)
    at software.amazon.awssdk.utils.cache.CachedSupplier.get(CachedSupplier.java:89)

Steps to Reproduce

With Kube2Iam in Proxy mode, and the SDK configured to use InstanceProfileCredentialsProvider, do any call to any service, for example:

        ProxyConfiguration.Builder proxyConfig = ProxyConfiguration.builder();

        ApacheHttpClient.Builder httpClientBuilder =
                ApacheHttpClient.builder()
                        .proxyConfiguration(proxyConfig
                                .addNonProxyHost("*.amazonaws.com,<KUBE_API_IP>:443")
                                .endpoint(new URI("http://<HOST_IP>:8181"))
                                .build());

        ClientOverrideConfiguration.Builder overrideConfig =
                ClientOverrideConfiguration.builder();
        StsClient stsClient = StsClient.builder()
                .httpClientBuilder(httpClientBuilder)
                .overrideConfiguration(overrideConfig.build())
                .credentialsProvider(InstanceProfileCredentialsProvider.builder().build())
                .build();
        stsClient.getCallerIdentity();

will fail.

Possible Solution

Replace ConnectionUtils with the standard ApacheHttpClient. ConnectionUtils is currently used only for the metadata calls.

Context

Kube2Iam in Proxy mode in Openshift 4

Your Environment

zoewangg commented 4 years ago

Marking this as a feature request. PRs are welcome! :)