-
Notifications
You must be signed in to change notification settings - Fork 594
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Provide utilities for accessing EC2 Instance Metadata Service #4004
Comments
@nwalters512 thanks for opening this issue, I see it is implemented in go-v2 https://pkg.go.dev/github.com/aws/aws-sdk-go-v2/aws/ec2metadata as well, I'll discuss the feature with the team and update you soon. |
+1 I have aborted the migration to v3 because of this -- it does not make sense to migrate all my clients but still keep |
Similar, I have also aborted upgrade to v3, this is an extremely critical piece of our infrastructure as we use it to determine which of our instances in the elastic beanstalk environment is the 'first' one as it does the cron jobs. Please, @RanVaknin escalate this as a priority for the team as there is already signs this part of your SDK has been neglected. See aws/aws-sdk-js#3584 |
@ajredniwja It's been almost 5 months, can you share an update from your team? I'd be happy to work on PR for this if it's something that y'all would accept. |
@kuhe pulling in another amazon employee here. Considering that these irritating 4-line warnings are now spamming my dev team's console on every run, yet we are literally unable to migrate due to an incomplete v3 offering, this kind of unresponsiveness is very concerning and now reaching levels of being unacceptable. |
Hi all, I apologize for the long wait. I'll try to get someone to take a look, but since we have some higher priority issues they will probably take precedence. I'll do my best. |
Hi @nwalters512 , I've discussed it with the team. Each SDK has implemented this in a different fashion. This likely will not be transformed into its own Additionally, if you'd like to take a stab at cutting a PR, I'll have someone review it. Thanks! |
@RanVaknin I'm not looking to customize If you want a specific use case: I want to be able to discover the instance ID of the host on which my code is running. But in general, I want to be able to fetch any of the categories of information listed here: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/instancedata-data-categories.html. If you're not willing to implement this as a separate client package (e.g. |
As I'm becoming unsure of whether this will be providing similar functionality to v2, below is my use case in TypeScript: The code is basically saying, 'is this current instance the first instance in the array of instances in my elastic beanstalk environment? if so, I consider this to be the 'master' instance, and I want this to be my Cron job runner.'. It is incomplete in the first 10 lines as I just cut and paste some bits together to tell the story. Notice the casting of MetadataService to the
|
I'm now receiving warnings about the impending deprecation of the v2 SDK (aws/aws-sdk-js#4354):
|
I'm using the below js v3 sdk version
Environment : EKS Pod EC2 - worker
Pod is getting the role This part of the code is assuming the pod role
Response
This above code returns the following response
Complete code snippet
|
@psk200 that looks unrelated to this issue, which is specifically about making requests directly to the metadata service. As far as I can tell, your comment is just about obtaining credentials from the metadata service, which indeed works correctly. If you're experiencing any problems with that, please open a separate issue. |
It's now over 2 months since the last comment. Is there an ETA on this? What are the minimal changes I am supposed to make to the existing code above (#4004 (comment))? |
Same here |
I ultimately built and published a small package to make talking to IMDS easier: |
Hi this is also blocking our migration to v3. |
@RanVaknin I elaborated on the use case as requested back in February, and it's now almost 6 months later, in Q2 of 2023, when v2 is supposed to be dropped in favor of v3. Zero follow up, zero alternative method or code examples provided, just putting things off over and over. This is placing my team in an increasingly risky scenario as year end approaches, and I think that's it's fair that some sort of conclusion is brought to this issue. If not, please tell me the appropriate person to escalate this issue to. |
Hi @nwalters512, could I ask you to clarify what exactly the "easy way to access information from the EC2 Instance Metadata Service" might look like for you? Are you specifically requesting a client that can access things like, say instanceID? You mention |
I don't want to prescribe any particular solution here. At a high level, I just don't want to have to worry about IMDS tokens: fetching, refreshing, TTLs, error handling, retries, etc. If that manifests as an almost-direct port of v2's |
Gone are the days when AWS focused on reducing undifferentiated heavy lifting. Today, AWS creates problems for us developers that we didn't have in the past. |
Problem: We did not attach the token to IMDS calls, resulting in IMDSv1 being used. The SDK does support using tokens but only for calls to the endpoint `/latest/meta-data/iam/security-credentials/`. https://github.com/aws/aws-sdk-js/blob/3333f8b49283f5bbff823ab8a8469acedb7fe3d5/lib/metadata_service.js#L123-L235 Solution: Call the "private" sdk method to get the token so code isn't duplicated, and attach that in the header of our calls just like the sdk does for the above endpoint. AWS SDK v3 does not support token handling aws/aws-sdk-js-v3#4004
Problem: We did not attach the token to IMDS calls, resulting in IMDSv1 being used. The SDK does support using tokens but only for calls to the endpoint `/latest/meta-data/iam/security-credentials/`. https://github.com/aws/aws-sdk-js/blob/3333f8b49283f5bbff823ab8a8469acedb7fe3d5/lib/metadata_service.js#L123-L235 Solution: Call the "private" sdk method to get the token so code isn't duplicated, and attach that in the header of our calls just like the sdk does for the above endpoint. AWS SDK v3 does not support token handling aws/aws-sdk-js-v3#4004
* fix: use IMDSv2 for all metadata service calls. Problem: We did not attach the token to IMDS calls, resulting in IMDSv1 being used. The SDK does support using tokens but only for calls to the endpoint `/latest/meta-data/iam/security-credentials/`. https://github.com/aws/aws-sdk-js/blob/3333f8b49283f5bbff823ab8a8469acedb7fe3d5/lib/metadata_service.js#L123-L235 Solution: Call the "private" sdk method to get the token so code isn't duplicated, and attach that in the header of our calls just like the sdk does for the above endpoint. AWS SDK v3 does not support token handling aws/aws-sdk-js-v3#4004 * add imdsv1 fallback and changelog
@siddsriv has created https://www.npmjs.com/package/@aws-sdk/ec2-metadata-service. import { MetadataService } from "@aws-sdk/ec2-metadata-service";
const metadataService = new MetadataService({
ec2MetadataV1Disabled: true,
});
const token = await metadataService.fetchMetadataToken();
const metadata = await metadataService.request("/latest/meta-data/", {});
console.log({
metadata,
}); |
Hi @nwalters512 and everyone else on the thread! Please check out the last comment where we created the package that provides utils to access EC2 Instance Metadata Service (IMDS). Let us know if you have any questions! |
@aBurmeseDev @kuhe this is great, thanks for getting this done! Unfortunately the package isn't being built/published correctly; the file
|
thank you for reporting this, we just put a fix out that will be released later today. let us know if you encounter any other issues or have questions. |
@aBurmeseDev @siddsriv Thank you for pushing this out! Can you point me to the SDK docs for the package? All good if they're not out yet, didn't know if I wasn't looking in the right place. |
https://www.npmjs.com/package/@aws-sdk/ec2-metadata-service has basic instructions on how to make a request, which is most of what the package does. You can then use the general documentation for IMDS https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/instancedata-data-retrieval.html and take the URLs in those and input them to the JavaScript package for the same effect. |
This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs and link to relevant comments in this thread. |
Describe the feature
I'd like an easy way to access information from the EC2 Instance Metadata Service, similar to the
MetadataService
that's available in the v2 SDK: https://docs.aws.amazon.com/AWSJavaScriptSDK/latest/AWS/MetadataService.html.Use Case
I'd rather not re-implement the logic for picking the appropriate endpoint, refreshing the token, refetching the token, etc.
Proposed Solution
No response
Other Information
It looks like
credential-provider-imds
has already implemented a lot of the token fetching, error handling, etc. Maybe that can be refactored into a shared place?SDKs for other languages already implement this feature, including Go (https://docs.aws.amazon.com/sdk-for-go/api/aws/ec2metadata/).
Acknowledgements
SDK version used
3.178.0
Environment details (OS name and version, etc.)
macOS 12.5.1
The text was updated successfully, but these errors were encountered: