-
Notifications
You must be signed in to change notification settings - Fork 2.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Mismatched and Unclear Doc on How to use InstanceProfile's Credential #4623
Comments
Hi @michaelmnguyen , Thanks for opening this issue, I'll take a look and get back to you as soon as possible. Ran~ |
Hi @michaelmnguyen , Just to give you some background The EC2 Instance Metadata Service (IMDS) is data about an instance that can be used to configure or manage the running instance. Regarding our documentation, I can confirm that this is broken and I apologize for that. I will add a backlog item to fix this with a working example. Here is my setup and how I got it to work:1. IAM Role setup:
2. GO code to be run inside instance: package main
import (
"context"
"fmt"
"github.com/aws/aws-sdk-go-v2/aws"
"github.com/aws/aws-sdk-go-v2/credentials/ec2rolecreds"
"github.com/aws/aws-sdk-go-v2/service/s3"
)
func main() {
// Get a credential provider from the configured role attached to the currently running EC2 instance
provider := ec2rolecreds.New()
// Construct a client, wrap the provider in a cache, and supply the region for the desired service (in my case buckets live on us-east-2
client := s3.New(s3.Options{
Credentials: aws.NewCredentialsCache(provider),
Region: "us-east-2",
})
out, err := client.ListBuckets(context.TODO(), &s3.ListBucketsInput{})
if err != nil {
panic(err)
}
fmt.Println(len(out.Buckets))
} 3. Run on EC2 host:
Output: 17 // I have 17 buckets in us-east-2 Additionally, I'd like to address these two remarks:
All the SDK clients are auto-generated from the service models that service team publishes. Other utilities like IMDS are hand written and aside from the guidelines we receive each SDK team implements it based on the merit of the respective language. Why there are big differences - I cannot tell but this is a good point.
To reinforce what I've written in the above point, 99% of the SDK is code generated including documentation. IMDS is different in that It was up to the team to write and document everything and this clearly fell between the cracks. I apologize for that. Please let me know if this helps. |
Hi @RanVaknin, Thank you for the quick and detailed response. The role set up and sample working code are very helpful. I will try them out on my side and let you know. Michael, |
|
Hi @RanVaknin Sorry for the delayed response on this thread. It was due to some production issues on my side in addition to being sick over the Thanksgiving week. I was able to get the security for InstanceProfile in golang to work with the sample code you provided for S3 bucket. I also tested it with different VPCs to make sure it works consistently with different network settings. My follow-up questions are
Thanks. Michael Nguyen, |
Hi @michaelmnguyen , Thanks for following up. Sorry to hear about you being sick, but I'm glad the solution provided works for you. I'll address your new concerns here, but in the future if any more issues arise please open a separate ticket. Both Java's and Go's operations are acting the same way. The SDK client will attempt to make a call to retrieve messages from the queue, if the queue is empty it will return an empty result. What you are describing is a Waiter, and SQS does not have any waiters defined for their API - so this behavior of waiting until there's a response, does not exist for this particular service. regarding this:
Aside from language specific differences, 99% of the SDK's clients are auto-generated from the models of their respective service APIs. So the behavior should, and is the same across all SDKs. Let me know if you have any other questions. |
Thanks @RanVaknin for the quick response. My posts for the new issues about the blocking call for SQS and SDK across languages at #4642 and #4643 were crossed with your response in this thread. I will follow up with you in those threads as needed. Michael, |
|
Describe the bug
The use case for this issue is
The AWS SDK Go doc at
https://pkg.go.dev/github.com/aws/aws-sdk-go-v2/credentials/ec2rolecreds
talks about retrieving AWS credentials from Amazon EC2 Instance Roles via Amazon EC2 IMDS. However, there are several issues:
For instance, AWS SDK has InstanceProfileCredentialsProvider in Java. But in Golang, AWS SDK somehow uses imds.New(imds.Options{})
For instance,
provider := imds.New(imds.Options{})
What is imds ? And how does imds.Options{} indicate that it uses EC2 Instance role ?
Expected Behavior
Long-term Fix: The AWS SDK APIs and usage paradigm should be consistent across programming languages. The only difference should be syntax differences in the programming languages.
Short-term Fix: provide clear explanation of what IMDS means and how imds.Options{} indicate that it uses EC2 Instance role.
Current Behavior
Please see description.
Reproduction Steps
Please see description.
Possible Solution
Long-term Fix: The AWS SDK APIs and usage paradigm should be consistent across programming languages. The only difference should be syntax differences in the programming languages.
Short-term Fix: provide clear explanation of what IMDS means and how imds.Options{} indicate that it uses EC2 Instance role.
Additional Information/Context
No response
SDK version used
1.44.137
Environment details (Version of Go (
go version
)? OS name and version, etc.)1.19
The text was updated successfully, but these errors were encountered: