Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Upgrade AWS SDK used by the repository-s3 plugin to allow use of IMDSv2 #3690

Closed
tophercullen opened this issue Jun 24, 2022 · 7 comments
Closed

Upgrade AWS SDK used by the repository-s3 plugin to allow use of IMDSv2 #3690

tophercullen opened this issue Jun 24, 2022 · 7 comments
Assignees
@saratvemulapalli
Labels
enhancement Enhancement or improvement to existing feature or request Plugins

Comments

@tophercullen
Copy link

Is your feature request related to a problem? Please describe.
Currently, repository-s3 plugin does not support IMDSv2 due to (I assume) using an older bundled AWS SDK. This means the plugin does not function while using IAM roles and IMDSv2 is enforced.

Describe the solution you'd like
Upgrade the AWS SDK used by the plugin.

Describe alternatives you've considered
Use AWS static keys/secrets (poor practice).

Additional context
Currently, I am using OS 1.3.2. However, even the 2.x versions I've checked, are using the same, older SDK in the plugin.
@tophercullen tophercullen added enhancement Enhancement or improvement to existing feature or request untriaged labels Jun 24, 2022
@saratvemulapalli saratvemulapalli mentioned this issue Jun 24, 2022
Merged
5 tasks
@saratvemulapalli
Copy link
Member

Thanks for opening this up. I've sent out a PR.

@saratvemulapalli saratvemulapalli self-assigned this Jun 24, 2022
@tophercullen
Copy link
Author

I know its been over a year, but the behavior appears to be unchanged even in 2.7.0. Perhaps the AWS SDK needs to be update to v2 instead of just a newer version of v1? See #3040

@dblock
Copy link
Member

dblock commented Jul 19, 2023
edited
Loading

The good news is that we upgraded to AWS SDK to v2 in #7372, and #7372 which ships with 2.9.0. Want to try the latest release candidate? See opensearch-project/opensearch-build#3616 for latest links. I don't believe that automatically closes #3040, we still have to do work, but I haven't looked at the work required. Maybe you want to check it out @tophercullen?

@tophercullen
Copy link
Author

Realized I forgot to get back on this. It still doesn't work. We upgraded to OS 2.9.0 late last year and enforcing IMDSv2, the s3 plugin started failing on the next token refresh. We had to re-enable IMDSv1 to get it working again.

@dblock
Copy link
Member

dblock commented Feb 28, 2024

@tophercullen care to open a new issue for support of IMDSv2 and collect some links/repro steps/whatever else you can provide that shows that it doesn't work?

@tophercullen
Copy link
Author

Understood. We recently upgrade to 2.12. I'll re-test against that and open an new issue is still present.

@tophercullen
Copy link
Author

tophercullen commented Apr 3, 2024
edited
Loading

@dblock I've retested this with 2.12 and it works.

As I went about testing it this time around, I believe I found out there was some confusion and/or misunderstanding on my part when testing this previously on 2.9.0. Its entirely possible 2.9.0 works, but at the time I'm fairly certain I had the EC2 metadata hop limit set to 1. Given I run opensearch from a container, this would cause it to fail when using IMDSv2 and the SDK to fall back to IMDSv1.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@saratvemulapalli saratvemulapalli

Labels
enhancement Enhancement or improvement to existing feature or request Plugins
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@dblock @tophercullen @saratvemulapalli