Open nickdnk opened 18 hours ago
Update. This is not actually a problem. The credentials in the check are not being used, they only determine the behavior of the sqs configuration parameters. I have made a PR in the sqs repo detailing this. See https://github.com/roadrunner-server/sqs/pull/570
Second update: It actually is a problem, but for different reasons than originally stated, because of this code in the current version of the SQS plugin:
As it doesn't detect ECS Fargate as an "AWS environment", it overrides the working credentials from the AWS SDK (from LoadDefaultConfig
) with static ones (NewStaticCredentialsProvider
), which are not provided to the ECS containers. My PR linked above also resolves this issues by simply getting completely rid of the logic that tries to determine if we're running in an AWS environment and putting that responsibility on the configuration instead.
No duplicates 🥲.
What should be improved or cleaned up?
It seems the SQS plugin only checks for EC2, not for ECS Fargate, when it is considering dynamic IAM credentials. This means that when running in containers, you would have to provide an explicit access key instead of relying on the IAM role for the task.
In order to use ECS credentials, the endpoint is
169.254.170.2
(and not169.254.169.254
) followed by the contents of the ENV variableAWS_CONTAINER_CREDENTIALS_RELATIVE_URI
or justAWS_CONTAINER_CREDENTIALS_FULL_URI
, if available. I'm unsure why both these variables exist, but it may be some BC compatibility.The current implementation checks only the EC2 endpoint (https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/instancedata-data-retrieval.html) at https://github.com/roadrunner-server/sqs/blob/master/sqsjobs/driver.go#L32
You can see how the PHP SDK makes this call when used inside AWS ECS containers: https://github.com/aws/aws-sdk-php/blob/master/src/Credentials/EcsCredentialProvider.php#L192
You probably don't even need to hit the endpoint to check. If these variables are not available, it is not running in ECS:
I put this under Chore as it's somewhere between a Feature Request (IAM credentials already supported) and a bug (doesn't work if in an ECS container).