Closed pbrisbin closed 1 year ago
pbrisbin
commented
1 year ago Thanks for the review, addressing these things now. Is there a reason isEC2 uses "http://instance-data/latest", while the rest of the calls use "http://169.254.169.254/latest/"? Does that need to be preserved? It makes it annoying to DRY the token-handling and is the reason I missed it on first coding.
EDIT: it was trivial to preserve, as far as I can tell, so I did.
endgame
commented
1 year ago Is there a reason
isEC2uses"http://instance-data/latest", while the rest of the calls use"http://169.254.169.254/latest/"?
I believe that in most cases, it's faster to attempt name resolution and have a local nameserver reply "nope", than it is to wait for an addressed TCP connection to the IMDS address to fail to open. Otherwise, you get a stall in any amazonka program not running on EC2 if the earlier auth methods fail to find keys.
pbrisbin
commented
1 year ago Thanks for the quick merge!
https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/configuring-instance-metadata-service.html
A few caveats:
This requests a new token on every separate use a
get. It would be better to support requesting a token first and re-using it across many calls, but the current interface doesn't support that and would have to be re-designed. I'm happy to do that, if given guidance on preferred ergonomics (ReaderT? Explicit argument passing? Set up theManagerwith amodifyRequest?)The timeout of 21600 comes from the docs. We could probably go shorter given point one.
I don't have any easy way to verify that this works. Does there happen to be integration test coverage?
Closes #745.