Fork me on GitHub
#aws
<
2020-11-27
>
kenny17:11:44

I have a task running on EC2 ECS and am using Cognitect's aws-api to make API calls. I am constructing a regular sts client (e.g., (aws/client {:api :sts})) and issuing an :AssumeRole API call. That call is failing with an anomaly saying "No region found by any region provider." I have traced the call back to the cognitect.aws.ec2-metadata-utils namespace. It is attempting to fetch the region from this endpoint "http://169.254.170.2/latest/dynamic/instance-identity/document". If I curl that endpoint from within my container, I get a 404. I can curl the credentials using curl ${AWS_CONTAINER_CREDENTIALS_RELATIVE_URI} and get a successful response. Any idea why the former endpoint used for the region is returning a 404?

kenny17:11:49

I can work around this by setting the AWS_REGION env var. Curious how default region identification is supposed to work in EC2 ECS though.

ghadi17:11:21

Do you have the instance metadata v1 service disabled @kenny ?

kenny17:11:39

How would I know?

kenny17:11:11

(Afaik, I did not explicitly disable it)

ghadi17:11:35

Check the properties in the console

kenny17:11:36

What am I looking for?

ghadi17:11:03

Google imds v2, sorry afk

kenny17:11:56

I see how to https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/configuring-instance-metadata-service.html. Not seeing how to view the property from an already running instance though.

orestis17:11:17

You need to relaunch afaik

kenny17:11:01

This seems relevant here: https://docs.aws.amazon.com/AmazonECS/latest/developerguide/container-metadata.html#enable-metadata. Container metadata is disabled by default for ECS.

ghadi17:11:48

That’s the wrong metadata service

ghadi17:11:57

I thought EC2?

kenny18:11:04

The issue is occurring inside a task that is running on ECS EC2.

viesti21:11:52

hmm, I remember setting the AWS_REGION & AWS_DEFAULT_REGION to make python boto3 applications work when run on ECS

viesti21:11:54

it didn't occur to me that the region would actually be available from the container metadata service