source-controller icon indicating copy to clipboard operation
source-controller copied to clipboard

Published 20 hours ago verified publisher icon fluxcd

Source controller support for Instance Metadata Service v2 (IMDSv2) on AWS

Open oura-kataja opened this issue 2 years ago • 1 comments

I get the following error message in source-controller when Flux is configured to use S3 bucket source,:

{
  "level": "error",
  "ts": "2022-06-03T13:29:32.250Z",
  "logger": "controller.bucket",
  "msg": "Reconciler error",
  "reconciler group": "source.toolkit.fluxcd.io",
  "reconciler kind": "Bucket",
  "name": "deploy-bucket",
  "namespace": "flux-system",
  "error": "failed to confirm existence of 'retracted-flux-1ejashffo6o0p' bucket: 401 Unauthorized"
}

I have created the bucket source with the following command:

flux create source bucket deploy-bucket \
  --bucket-name=retracted-flux-1ejashffo6o0p \
  --provider=aws \
  --endpoint=s3.amazonaws.com \
  --region=eu-central-1 \
  --interval=5m

.. and receive the following error message:

✚ generating Bucket source
► applying Bucket source
✔ Bucket source created
◎ waiting for Bucket source reconciliation
✗ failed to confirm existence of 'retracted-flux-1ejashffo6o0p' bucket: 401 Unauthorized

It appears that minio-go library uses Instance Metadata Service (IMDS) at 169.254.169.254 to create temporary credentials to access the S3 bucket (from captured traffic):

GET /latest/meta-data/iam/security-credentials/ HTTP/1.1
Host: 169.254.169.254
User-Agent: Go-http-client/1.1
Accept-Encoding: gzip

This is not permitted, because my configuration requires Instance Metadata Service v2 (IMDSv2) since doing so avoids some vulnerabilities:

HTTP/1.1 401 Unauthorized
Content-Length: 0
Date: Fri, 03 Jun 2022 13:29:32 GMT
Server: EC2ws
Connection: close
Content-Type: text/plain

The fix would be to use Instance Metadata Service v2 (IMDSv2) compatible client with the minio-go library. This adds a session token to the requests.

I was able to workaround by creating an IAM user with an access key, then creating the source with--access-key and --secret-key args.

I am running Flux v0.30.2 on EKS with the Kubernetes version v1.21. I have created the IAM policy to access the bucket as instructed by documentation. Instances receive this policy from the instance profile. The access works when tested with AWS CLI aws s3 ls command.

Resources:

oura-kataja avatar Jun 03 '22 14:06 oura-kataja

Have you found the solution to this problem?

Paulius0112 avatar Oct 05 '22 12:10 Paulius0112