Closed peter-svensson closed 10 months ago
During startup a check is performed that the necessary env variables are present in the container. If using in K8s running on EC2 instances with IMDSv2 enabled/enforced the checks will fail:
env
/docker-entrypoint.sh: Launching /docker-entrypoint.d/00-check-for-required-env.sh Required S3_ACCESS_KEY_ID environment variable missing Required S3_SECRET_KEY environment variable missing
I guess the reason for this are the following lines: https://github.com/nginxinc/nginx-s3-gateway/blob/bb03e8889025b76e0af51f40882ca67672d18d28/common/docker-entrypoint.d/00-check-for-required-env.sh#L47-L48
Calling the http://169.254.169.254 endpoint requires a token (which is correctly done here for example): https://github.com/nginxinc/nginx-s3-gateway/blob/bb03e8889025b76e0af51f40882ca67672d18d28/common/etc/nginx/include/awscredentials.js#L345-L347 I guess we need to update 00-check-for-required-env.sh to fetch the token first as well, like:
http://169.254.169.254
00-check-for-required-env.sh
elif TOKEN=`curl -X PUT --silent --fail --connect-timeout 2 --max-time 2 "http://169.254.169.254/latest/api/token" -H "X-aws-ec2-metada ta-token-ttl-seconds: 21600"` && curl -H "X-aws-ec2-metadata-token: $TOKEN" --output /dev/null --silent --head --fail --connect-timeout 2 --max-time 5 "http://169.254.169.254"; then
Reference: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/instancedata-data-retrieval.html#instance-metadata-returns
During startup a check is performed that the necessary
env
variables are present in the container. If using in K8s running on EC2 instances with IMDSv2 enabled/enforced the checks will fail:I guess the reason for this are the following lines: https://github.com/nginxinc/nginx-s3-gateway/blob/bb03e8889025b76e0af51f40882ca67672d18d28/common/docker-entrypoint.d/00-check-for-required-env.sh#L47-L48
Calling the
http://169.254.169.254
endpoint requires a token (which is correctly done here for example): https://github.com/nginxinc/nginx-s3-gateway/blob/bb03e8889025b76e0af51f40882ca67672d18d28/common/etc/nginx/include/awscredentials.js#L345-L347 I guess we need to update00-check-for-required-env.sh
to fetch the token first as well, like:Reference: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/instancedata-data-retrieval.html#instance-metadata-returns