search

lyft / metadataproxy

A proxy for AWS's metadata service that gives out scoped IAM credentials from STS
Other
456 stars 69 forks source link

Metadata proxy not working with cross role #40

Closed sujithvs-dev closed 7 years ago

sujithvs-dev commented 7 years ago

We are getting below error while using metadata proxy with cross account access.

_GetRoleError: (404, 'An error occurred (NoSuchEntity) when calling the GetRole operation: Role not found for r_cccContainerRole1')

Please let us know how we can resolve this issue. Metadata proxy running as container in aws.

ryan-lane commented 7 years ago

Are you specifying the IAM role in the environment via ARNs? If not, are you using the @ format for multi-account? (role@account_id). For cross-account you need to do one of the above, because otherwise metadataproxy will look for the role in its own account.

Additionally, for metadataproxy to access the role, it needs to be allowed to assume it in its own IAM policy, and the role to be assumed needs to allow the root account, or the specific role to assume it. Have you granted access to the role metadataproxy is using, using a policy document on the role to be assumed?

http://docs.aws.amazon.com/IAM/latest/UserGuide/tutorial_cross-account-with-roles.html

sujithvs-dev commented 7 years ago

Thanks for your reply. This is fixed after specifying IAM_ROLE in "role@account_id" format.

I have one more issue, currently metadata proxy(running with host networking) and other containers running on same host. Is it possible to use same metadata proxy from other containers running in different docker host.

ryan-lane commented 7 years ago

You should run a metadataproxy on every single host that's running docker. It's meant to act as a sidecar process that sits in front of the metadata service, and the metadata service is local to every host.

sujithvs-dev commented 7 years ago

Thanks for your quick reply.

sujithvs-dev commented 7 years ago

I am decided to go with non-container approach for metadataproxy. I just cloned the repo and while executing "pip install metadataproxy" getting below, error. Could you please help.

[root@dev-ccp-met-pxy-svs metadataproxy]# pwd
/srv/metadataproxy
[root@dev-ccc-met-pxy-svs metadataproxy]# ls
CHANGELOG.md  Dockerfile.private  entrypoint.sh  LICENSE   manifest.yaml  metadataproxy.egg-info  README.md         requirements_wsgi.txt  setup.cfg  venv
Dockerfile    docker_push.sh      infra          Makefile  metadataproxy  provision.sh            requirements.txt  run-server.sh          setup.py   wsgi.py
[root@dev-ccc-met-pxy-svs metadataproxy]# pip install metadataproxy
Collecting metadataproxy
  Using cached metadataproxy-1.2.1.tar.gz
    Complete output from command python setup.py egg_info:
    Traceback (most recent call last):
      File "<string>", line 1, in <module>
      File "/tmp/pip-build-t4uhCj/metadataproxy/setup.py", line 19, in <module>
        reqs = [str(ir.req) for ir in reqs_base]
      File "/usr/lib/python2.7/site-packages/pip/req/req_file.py", line 84, in parse_requirements
        filename, comes_from=comes_from, session=session
      File "/usr/lib/python2.7/site-packages/pip/download.py", line 425, in get_file_content
        'Could not open requirements file: %s' % str(exc)
    pip.exceptions.InstallationError: Could not open requirements file: [Errno 2] No such file or directory: 'requirements.txt'

    ----------------------------------------
Command "python setup.py egg_info" failed with error code 1 in /tmp/pip-build-t4uhCj/metadataproxy/
[root@dev-ccc-met-pxy-svs metadataproxy]#
ryan-lane commented 7 years ago

Doh! I must have broken something with the packaging.

ryan-lane commented 7 years ago

Fixed in 1.2.5

sujithvs-dev commented 7 years ago

It worked. Thanks !