Open jesseduffield opened 2 hours ago
Also for the record I'm using this workaround currently to fetch the credentials directly from IMDS:
- name: Export temp AWS credentials from IMDS
shell: bash
run: |
TOKEN=$(curl -X PUT "http://169.254.169.254/latest/api/token" -H "X-aws-ec2-metadata-token-ttl-seconds: 21600")
ROLE_NAME=$(curl -H "X-aws-ec2-metadata-token: $TOKEN" -s http://169.254.169.254/latest/meta-data/iam/security-credentials/)
CREDENTIALS=$(curl -H "X-aws-ec2-metadata-token: $TOKEN" -s http://169.254.169.254/latest/meta-data/iam/security-credentials/$ROLE_NAME)
echo "AWS_ACCESS_KEY_ID=$(echo $CREDENTIALS | jq -r .AccessKeyId)" >> $GITHUB_ENV
echo "AWS_SECRET_ACCESS_KEY=$(echo $CREDENTIALS | jq -r .SecretAccessKey)" >> $GITHUB_ENV
echo "AWS_SESSION_TOKEN=$(echo $CREDENTIALS | jq -r .Token)" >> $GITHUB_ENV
I'm trying to run AWS commands from within a docker container on my CI runner and it appears that it's failing to get credentials from IMDS:
Previously I directly stored IAM user credentials in github but I've switched to instead using the EC2InstanceCustomPolicy cloudformation param. Other steps in the CI workflow that are outside of docker are still able to successfully do things (e.g. pushing docker images to ECR).
I wonder if this is related to what this comment says about permitting more than one network hop to access IMDS: https://github.com/hashicorp/terraform-provider-aws/issues/23110#issuecomment-1035712587
If so, could we up the number of allowed network hops so that we can access IMDS from within a docker container?
Thanks