-
Notifications
You must be signed in to change notification settings - Fork 24.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
ECS Task IAM profile credentials ignored in repository-s3 plugin #26913
Comments
I agree with your analyse, it looks like the repository-s3 plugin must be adapted for this use case. |
I believe we need to upgrade to aws sdk 1.11 in order to support this. We do not use the default credentials chain because it uses insecure methods of passing credentials (env vars, sysprops and plaintext files). So after upgrading, we will need to create our own chain that includes iam+instance profile. |
Wasn't that the goal of #26479? |
Sorry I meant #25552 |
@dadoonet Yes. However, that PR undoes the secure credentials work (adding back the default credentials provider). |
Very true @rjernst. I did not review it yet cause travels. Wanna add your thoughts on https://github.com/elastic/elasticsearch/pull/25552/files#diff-68ff507ea23f19b8d4b5cc0e8d1826bfR172? |
Ah! I must have missed that PR when searching for if the issue already existed! |
I have just come across this issue too when trying to use an IAM Role associated with the ECS Task for S3 Repository access, and I've only just found this GitHub issue. I am using the official Docker image for ES 5.5.3 and the "repository-s3" plugin, which seems to include version 1.10.69 of the AWS SDK for Java according to DEBUG. AWS state that the minimum required Java SDK version to support IAM Roles for Tasks is 1.11.16. See here. To prove the point, when I attach the S3 IAM Policy to the ECS Container Instance's IAM Role, the S3 Repository "verify" command works fine. But the same Policy on the Task's assigned IAM Role doesn't work. There are additional steps to configure the ECS Agent to allow IAM Role's to be assigned to Tasks, but I have followed these and it still doesn't work, so the SDK version seems to be the root cause... Looking forward to seeing this one fixed, and I hope this information might help a little. |
This is still a problem on 6.3.0. The SDK version is recent enough but the S3 plugin will only use the EC2 Instance Profile Provider. The EC2 Discovery plugin works fine with Task Roles, so the difference in behaviour is surprising. |
Add EC2 credential test for repository-s3 Relates to #26913
Relates to #26913 (cherry picked from commit 8235b25)
Elasticsearch version (
bin/elasticsearch --version
): 5.6.2Plugins installed: [repository-s3]
JVM version (
java -version
): Doesn't seem to matterOS version (
uname -a
if on a Unix-like system): Doesn't seem to matterDescription of the problem including expected versus actual behavior:
When using the repository-s3 plugin from within an ECS Task that has an ECS Task IAM role
, the repository-s3 instead loads the underlying ec2 host's credentials, which appears to be contrary (or at least unexpected!), based on what is in the usage guide
Steps to reproduce:
elasticsearch-plugin install repository-s3
Believed cause:
I believe I've tracked the issue down to
elasticsearch/plugins/repository-s3/src/main/java/org/elasticsearch/repositories/s3/InternalAwsS3Service.java
Line 172 in 16431a6
The text was updated successfully, but these errors were encountered: