hey y'all I'm trying to get datomic ion instances to use imdsv2 and running into this:
2. The CodeDeploy deployment fails on the BeforeInstall hook: scripts/post-stop-sync-libs (run as user datomic) exits 1.
3. That script runs Datomic's datomic.ion.dev.ensure_local (sync-libs.clj), which shells out (sh!) to download Datomic ion libs from S3 — and that subprocess now fails because it can't get instance-role credentials. The node has HttpTokens=required; the tool sync-libs invokes uses an IMDSv1-only credential path, so its metadata call is rejected (401) and the S3 download dies.
anyone run into this and know how to address it?fyi it looks like the datomic cloud template explicitly overrides the default behavior to use imdsv1, this can be seen at https://s3.amazonaws.com/datomic-cloud-1/cft/1217/query-group-template-9399-1217.json if you search for "HttpTokens"
Hey @nonrecursive, support for IMDSv2 is coming in our next release along with some other goodies. We are just beginning the release testing tomorrow
> We are just beginning the release testing tomorrow 👀
@joe.lane good timing! do you have a sense of when that release will drop?
Double digit days, single digit weeks
I'm looking at a deadline to get our instances using imdsv2 by tomorrow 😕 right now the main option I'm considering is getting the BeforeInstall hook to use a version of the aws cli that will use imdsv2. this is unfamiliar territory for me, but from what I understand I have the sense that this might be difficult? • the base AMI datomic cloud uses should already be using a version of aws cli that defaults to imdsv2 • this makes me think it might be vendoring an older version? anyway, any guidance here (even in the form of letting me know imdsv2 just isn't going to work) would be super appreciated 🙏 🙏 🙏
It will not work until you have our next release.
thanks again, and to clarify: the current release categorically will not work with imdsv2, and any workaround attempts will fail?
hope it's not a bother, just wanted to get some clarity before attempting some kind of workaround - if it's simply not going to be possible that'd be helpful to know. sorry if you already answered that with your last comment, just want to be sure you mean that there's no way to get imdsv2 to work, as opposed to the possible workarounds I mentioned 🙂
I really don't think it will work
thank you!