nginxinc / nginx-s3-gateway

NGINX S3 Caching Gateway
Apache License 2.0
515 stars 127 forks source link

Check environment fails with IMDSv2 #192

Closed peter-svensson closed 10 months ago

peter-svensson commented 10 months ago

During startup a check is performed that the necessary env variables are present in the container. If using in K8s running on EC2 instances with IMDSv2 enabled/enforced the checks will fail:

/docker-entrypoint.sh: Launching /docker-entrypoint.d/00-check-for-required-env.sh
Required S3_ACCESS_KEY_ID environment variable missing
Required S3_SECRET_KEY environment variable missing

I guess the reason for this are the following lines: https://github.com/nginxinc/nginx-s3-gateway/blob/bb03e8889025b76e0af51f40882ca67672d18d28/common/docker-entrypoint.d/00-check-for-required-env.sh#L47-L48

Calling the http://169.254.169.254 endpoint requires a token (which is correctly done here for example): https://github.com/nginxinc/nginx-s3-gateway/blob/bb03e8889025b76e0af51f40882ca67672d18d28/common/etc/nginx/include/awscredentials.js#L345-L347 I guess we need to update 00-check-for-required-env.sh to fetch the token first as well, like:

elif TOKEN=`curl -X PUT --silent --fail --connect-timeout 2 --max-time 2 "http://169.254.169.254/latest/api/token" -H "X-aws-ec2-metada
ta-token-ttl-seconds: 21600"` && curl  -H "X-aws-ec2-metadata-token: $TOKEN" --output /dev/null --silent --head --fail --connect-timeout
2 --max-time 5 "http://169.254.169.254"; then 

Reference: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/instancedata-data-retrieval.html#instance-metadata-returns