botocore
botocore copied to clipboard
boto
Add host.docker.internal to ContainerMetadataFetcher list of approved hosts
ContainerMetadataFetcher currently allows three hosts for container metadata endpoints: 169.254.170.2, localhost, and 127.0.0.1. However, neither localhost or 127.0.0.1 represent the local docker host. Instead, the host's localhost is reachable as host.docker.internal (docs). On Linux, the workaround is to use --network host, but on Mac and Windows this doesn't work (the docker network is always isolated from the host).
host.docker.internal should be added to ContainerMetadataFetcher's list of approved hosts, so that a custom metadata endpoint for testing can be run on the host rather than needing to be run in another container.
Actually, in looking at the other SDKs, an inconsistency is that botocore allows 169.254.170.2 in AWS_CONTAINER_CREDENTIALS_FULL_URI, where at least Go and JavaScript v2 only allow localhost/127.0.0.1 in AWS_CONTAINER_CREDENTIALS_FULL_URI and use 169.254.170.2 only for AWS_CONTAINER_CREDENTIALS_RELATIVE_URI 🤷
I believe that Java (v1) behavior is the same as Go/JavaScript:
https://docs.aws.amazon.com/AWSJavaSDK/latest/javadoc/com/amazonaws/auth/EC2ContainerCredentialsProviderWrapper.html
I have solved this for now in my aws-export-credentials tool by providing an IMDSv2-compatible endpoint; the IMDS endpoint is not subject to the same host checks. I think this issue still stands, though.
This is still an issue. We are trying to access the credentials URI from a docker container in a production environment and using --network host is not a good practice. And using aws-export-credentials seems a bit overkill to workaround this in our case.
Any chance this issue could pass the needs-review step?
I should note that in addition to aws-export-credentials I made a single-purpose implementation in Go: imds-credential-server
But I'd love to see this host supported in all SDKs
Changing this to an issue on the cross-SDK repo: https://github.com/aws/aws-sdk/issues/562