architect
ECS Fargate: ECS IMDSv2 token not found
Describe the issue
I'm trying to use aws-lite in a ECS Fargate container, but ran into the ECS IMDSv2 token not found error when trying to make calls.
Expected behavior
For aws-lite to be able to create/find a token to call the API with
Steps to reproduce
- Call aws-lite from a ECS Fargate (only? I'm not sure, we only use Fargate) container
- See error
Platform / version
- OS + version: ECS Fargate, node:alpine docker image
- Node version: Node.js 22.8
- Package manager version: pnpm 9.10
How urgent do you feel this bug is?
P2
Additional context
I tried to look through the sources for how the token is found to try to debug it more, but deploying our services takes forever and setting up a new one would take even longer, so I gave up and went back to using the official SDK.
Seems like the aws-lite implementation for IMDS is incomplete. This is the aws-sdk solution which does a request to the IMDS service when the token or token file is missing in the container (which is the case here)
https://github.com/smithy-lang/smithy-typescript/blob/main/packages/credential-provider-imds/src/fromContainerMetadata.ts
Specifically, in my case and probably yours, only AWS_CONTAINER_CREDENTIALS_RELATIVE_URI exists in the environment.
https://github.com/smithy-lang/smithy-typescript/blob/c8d257b99707b880dc6500709269461477bbc321/packages/credential-provider-imds/src/fromContainerMetadata.ts#L71-L76
I'm having the same issues. The IMDS incorrectly assumes that a token is required for all metadata requests. This is not the case in fargate where no authorization token is required. Setting AWS_CONTAINER_AUTHORIZATION_TOKEN env variable to a dummy value (for example AWS_CONTAINER_AUTHORIZATION_TOKEN="dummy") fixed the issue for me.
