search

cloudtools / ssh-cert-authority

An implementation of an SSH certificate authority.
BSD 2-Clause "Simplified" License
728 stars 71 forks source link

"Unable to determine our region" attempt w/ EC2 Instance metadata #26

Closed shatil closed 7 years ago

shatil commented 7 years ago

Does ssh-cert-authority work outside of AWS? On my laptop outside of AWS, built off 5c22404e3b6a1884450dfd02318fc36e7e261865, something attempts to read EC2 Instance metadata, and fails:

environment_name=dev ssh-cert-authority encrypt-key \
    --generate-rsa \
    --key-id arn:aws:kms:us-west-2:1234567891011:key/ssh-certificate-authority \
    --output .ssh-ca/ca-key-dev.kms
Unable to determine our region: RequestError: send request failed
caused by: Get http://169.254.169.254/latest/meta-data/placement/availability-zone: dial tcp 169.254.169.254:80: connect: host is down

I tried with and without ~/.ssh_ca/sign_certd_config.json or AWS_DEFAULT_REGION and AWS_REGION environment variables and received the same error.

I am happy to send a PR, but the only Dial invocations I see are:

$ git grep Dial
request_cert.go:        conn, err := net.Dial("unix", os.Getenv("SSH_AUTH_SOCK"))
request_cert.go:                return cli.NewExitError(fmt.Sprintf("Dial failed: %s", err), 1)
sign_cert.go:   conn, err := net.Dial("unix", os.Getenv("SSH_AUTH_SOCK"))
sign_cert.go:           return cli.NewExitError(fmt.Sprintf("Dial failed: %s", err), 1)
sign_certd.go:  sshAgentConn, err := net.Dial("unix", os.Getenv("SSH_AUTH_SOCK"))
sign_certd.go:          return cli.NewExitError(fmt.Sprintf("Dial failed: %s", err), 1)

Unrelated, but region is readily available from http://169.254.169.254/latest/dynamic/instance-identity/document rather than having to query http://169.254.169.254/latest/meta-data/placement/availability-zone and then trim the Availability Zone's last character to get the Region.

bobveznat commented 7 years ago

For some reason I decided that if I'm using a KMS key I should use the metadata service to find the region I'm in, rather than parsing it from the key id ARN, for example. Not sure why I did this.

A quick workaround for you would be to launch an AWS instance and run this generate command there. That would work. I do support setting a KmsRegion in the config file but that's for runserver, not for generate. So doesn't help you yet.

And then let me add code to make this parse the region from the key id ARN.

bobveznat commented 7 years ago

I now parse the region from the key id. I managed to generate and encrypt a key on my local computer using a command nearly identical to what you pasted so I'm pretty sure this will work for you.

shatil commented 7 years ago

Wow, you are fast 👍