search

nginxinc / nginx-s3-gateway

NGINX S3 Caching Gateway
Apache License 2.0
496 stars 126 forks source link

Deploying into ECS | sessionToken not found #198

Closed snssays closed 8 months ago

snssays commented 8 months ago

Describe the bug I have deployed the nginx-s3-gateway into AWS ECS container. Gave the ECS Task role the read permissions for the bucket. I am using sigv4 and it requires AWS_SESSION_TOKEN. Apparently ECS Task role doesn't populate AWS_SESSION_TOKEN. It populates only AWS_ACCESS_KEY_ID & AWS_SECRET_ACCESS_KEY. Because of that I am getting 404

To Reproduce I am following the template you guys provided for ECS

Expected behavior Session token needs to be populated and access to s3 should happen

Your environment

Additional context

Jan 11 10:38:06.593 mkdocs-s3-privatelink at sessionToken (/etc/nginx/include/awscredentials.js:83)

Jan 11 10:38:06.593 mkdocs-s3-privatelink 2024/01/11 16:38:06 [error] 74#74: *15 js exception: TypeError: cannot get property "sessionToken" of undefined

Jan 11 10:38:06.593 mkdocs-s3-privatelink at s3auth (/etc/nginx/include/s3gateway.js:184)

Jan 11 10:38:06.593 mkdocs-s3-privatelink at signatureV4 (/etc/nginx/include/awssig4.js:51)

4141done commented 8 months ago

Thank you for your report. Let me look in to this and get back to you. Would you be able to provide an example of how you are starting the gateway? A redacted settings file or docker run command would be helpful in diagnosing. At first glance it looks like no credentials are present based on the stack trace but I'll need to dig in further. Knowing how configuration is being provided would be helpful.

snssays commented 8 months ago

Yes not even access id, session token, security token. None are present. Instead that fetchCredentials method, I couldn't find where it's being called in sigv4.

I am using a fargate with ECS Approach. I used CDK and generated cloud formation template. I made sure that the task role has read/list permissions on bucket and bucket/*. I am not using a settings file, Instead I am using environment variables which are provided in CFTemplate by you guys.

I am using these env variables.

        S3_BUCKET_NAME: mainBucketName,
        S3_SERVER: `s3.${this.region}.amazonaws.com`,
        S3_SERVER_PORT: '443',
        S3_SERVER_PROTO: 'https',
        S3_REGION: this.region,
        S3_STYLE: 'default',
        DEBUG: 'true',
        AWS_SIGS_VERSION: '4',
        ALLOW_DIRECTORY_LIST: 'true',

I am using your nginxinc/nginx-s3-gateway:latest-20231222 image. Using regular docker run <image-name>

snssays commented 8 months ago

It's working now. My health check path wasn't /health. I overrode it and I believe that was the default.

4141done commented 8 months ago

Glad to hear it! I'm going to close the issue for now. Please feel free to reopen if you feel there is an issue here. I'll take a look at that code to see if there can be a better error message in this case.