search

hazelcast / hazelcast-aws

AWS EC2 discovery plugin for hazelcast
Other
38 stars 50 forks source link

Handle different iam roles between members #214

Open trp-trpht40 opened 4 years ago

trp-trpht40 commented 4 years ago

We are currently running 2 different sets of Hazelcast members that use different IAM roles. The members currently discover each other but once the member from the 2nd group using a different IAM role joins the discovery plugin on the 1st group of members is trying to use the role for the second group as well and failing.

1st member group discovery configuration:

<discovery-strategy enabled="true" class="com.hazelcast.aws.AwsDiscoveryStrategy"> 
                   <properties> 
                       <property name="iam-role">ec2-group1</property> 
                       <property name="region">us-east-1</property> 
                       <property name="tag-key">Hazelcast-env</property> 
                       <property name="tag-value">dev</property> 
                       <property name="hz-port">5701</property> 
                   </properties> 
 </discovery-strategy>

2nd member group discovery configuration:

<discovery-strategy enabled="true" class="com.hazelcast.aws.AwsDiscoveryStrategy"> 
                   <properties> 
                       <property name="iam-role">ec2-group2</property> 
                       <property name="region">us-east-1</property> 
                       <property name="tag-key">Hazelcast-env</property> 
                       <property name="tag-value">dev</property> 
                       <property name="hz-port">5701</property> 
                   </properties> 
 </discovery-strategy>

Once group 2 members join the cluster on Group 2 members we see the following logs:

Caused by: com.hazelcast.config.InvalidConfigurationException: Unable to lookup role in URI: http://169.254.169.254/latest/meta-data/iam/security-credentials/ec2-group1
    at com.hazelcast.aws.utility.MetadataUtil.retrieveMetadataFromURI(MetadataUtil.java:78)
    at com.hazelcast.aws.utility.MetadataUtil$1.call(MetadataUtil.java:109)

Expected behavior is to let Group1 members and Group2 members keep using their respective IAM roles as provided in the configuration and not override them.

mtyazici commented 3 years ago

Hello @trp-trpht40,

I tried recreating the issue using two different IAM roles for connecting two clusters and there seems to be no problem. Is the issue still present? If that is the case, could you provide more information?