source-controller
source-controller copied to clipboard
Source controller support for Instance Metadata Service v2 (IMDSv2) on AWS
I get the following error message in source-controller
when Flux is configured to use S3 bucket source,:
{
"level": "error",
"ts": "2022-06-03T13:29:32.250Z",
"logger": "controller.bucket",
"msg": "Reconciler error",
"reconciler group": "source.toolkit.fluxcd.io",
"reconciler kind": "Bucket",
"name": "deploy-bucket",
"namespace": "flux-system",
"error": "failed to confirm existence of 'retracted-flux-1ejashffo6o0p' bucket: 401 Unauthorized"
}
I have created the bucket source with the following command:
flux create source bucket deploy-bucket \
--bucket-name=retracted-flux-1ejashffo6o0p \
--provider=aws \
--endpoint=s3.amazonaws.com \
--region=eu-central-1 \
--interval=5m
.. and receive the following error message:
✚ generating Bucket source
► applying Bucket source
✔ Bucket source created
◎ waiting for Bucket source reconciliation
✗ failed to confirm existence of 'retracted-flux-1ejashffo6o0p' bucket: 401 Unauthorized
It appears that minio-go library uses Instance Metadata Service (IMDS) at 169.254.169.254
to create temporary credentials to access the S3 bucket (from captured traffic):
GET /latest/meta-data/iam/security-credentials/ HTTP/1.1
Host: 169.254.169.254
User-Agent: Go-http-client/1.1
Accept-Encoding: gzip
This is not permitted, because my configuration requires Instance Metadata Service v2 (IMDSv2) since doing so avoids some vulnerabilities:
HTTP/1.1 401 Unauthorized
Content-Length: 0
Date: Fri, 03 Jun 2022 13:29:32 GMT
Server: EC2ws
Connection: close
Content-Type: text/plain
The fix would be to use Instance Metadata Service v2 (IMDSv2) compatible client with the minio-go library. This adds a session token to the requests.
I was able to workaround by creating an IAM user with an access key, then creating the source with--access-key
and --secret-key
args.
I am running Flux v0.30.2 on EKS with the Kubernetes version v1.21. I have created the IAM policy to access the bucket as instructed by documentation. Instances receive this policy from the instance profile. The access works when tested with AWS CLI aws s3 ls
command.
Resources:
- AWS: Use IMDSv2
- aws/containers-roadmap issue EKS: Support for IMDSv2 #930
Have you found the solution to this problem?