mp911de
commented
6 months ago We don't pass on any session headers to the metadata service. To support this, the following requirements would have to be defined:
- Who creates a session token
- How is the token provided to the auth mechanism?
- Who maintains TTL and how is a new token created/provided?
In a JWT/Kubernetes environment, the platform provides such details and ensures recent information stored in a file. Spring Vault is by no means authoritative of creating and maintaining yet another set of tokens so I suggest that you create your own ClientAuthentication implementation, potentially based on AwsEc2Authentication to explore provisioning and runtime operations.
With sufficient details from a broader community we can work on a path to enable session-bound usage of the identity service.
brantg
When using NiFi (which uses Spring Vault 3.1.0 under the hood) on an EC2 instance with IMDSv2 set to 'Required', we get the error message "Cannot obtain Identity Document from http://169.254.169.254/latest/dynamic/instance-identity/document".
If we toggle IMDSv2 on the EC2 instance to 'Optional', the error does not appear.
Reviewing the latest version of Spring Vault, it seems to me that this would still be the case with 3.1.1.
We raised the issue with NiFi and they advised us to raise it instead as an issue with Spring Vault.