-
Notifications
You must be signed in to change notification settings - Fork 2.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Default EC2RoleProvider ignores HTTPClient configuration #504
Comments
For some reason the provider still doesn't work. Now I use this: s.Config.HTTPClient.Transport = &http.Transport{Dial: viaBastionDialer}
// Copy HTTPClient configuration for EC2RoleProvider
s.Config.Credentials = defaults.CredChain(s.Config, defaults.Handlers()) With debugging enabled:
|
Ah, I think I might be hitting the fact that I'm still using the |
I got it working in the end with this: useClient := *http.DefaultClient
useClient.Transport = &http.Transport{Dial: viaBastionDialer}
s.Config.HTTPClient = &useClient
s.Config.Credentials = defaults.CredChain(s.Config, defaults.Handlers()) Are there likely to be any other HTTPClients that I've missed? |
Hi @pwaller thanks for contacting us. The condition you found is limited to the EC2Metadata client used by EC2RoleProvider. The SDK did not expect the default http client to be the one modified. But clients to create new http clients based on their need. The deadlines are only intended to be used if the HTTP client is not the default client. This was done with the intention that the default client wouldn't be modified. If there is any other type of check if the that would be helpful for the SDK to use I'd definitely be up to consider it. |
Digging into this a bit deeper the SDK could be updated to determine if the passed in client has been modified from the zero state http.Client. Which is the original form of http.DefaultClient. If the HTTP client was modified in anyway from the default http client state the SDK should not make any additions and use the passed in client as is. reflect.DeepEqual(*cfg.HTTPClient, http.Client{}) |
The EC2Metadata Client was incorrectly overriding the http.DefaultClient when users had modified the default client's parameters. The metadata client will now only set its alternate dial timeout if not http client was provided, or if the provided client was never modified from the original http.Client{} form. Also updates the logic so DefaultTransport is reused instead of hardcoded. Fix #504
Thanks for the fix there. I guess there are still two issues remaining for anyone hitting this problem to beware:
Workarounds to these issues:
These are hard to fix in the Go AWS SDK because:
To conclude: Could we fix (1) in |
@pwaller you are correct. Since the EC2RoleProvider is created when a #509 was opened which touch on this issue, and the data race that was introduced because of this change. |
Aha. So with #511 now the transport is not touched. So (2) no longer applies from the above post. That's a great start. I see two remaining problems:
|
Fixes a broken unit test missed when implementing aws#487.
I don't know if my desire is reasonable here, but I have some code which tunnels AWS commands over an SSH connection to an EC2 instance by switching out the
http.Transport.Dial
function. I had this (conceptual) code working in the distant past but at some point it stopped working, I think some time around when aws-sdk-go moved out of labs.I expected the command to use the AWS credentials available from the perspective of
viaBastionDialer
, however with some debugging I determined that it was using the default HTTP dialer.Reading the code I think the reason is that the default credentials provider is constructed by copying a the aws.Config the EC2RoleProvider, rather than sharing a reference.
I can work around this by over-riding the
Credentials
on my session, but I'm more concerned about writing future code where my HTTPClient choices are not respected. I write this up here at least so that there is something to search for if I hit this issue again.Is there a good workaround, or way of setting HTTPClient so that it takes effect everywhere, or not?
The text was updated successfully, but these errors were encountered: