Storage S3 - AWS node role IMDSv1 does not work after upgrade to v2.2 #2743
Comments
|
I'm not seeing much changes to the s3 backend. Prefix Support: a55da81 Standardized TLS config: e809ae607a Updated minio: e9898effad The first two seem innocuous. WDYT? The minio changes are here: minio/minio-go@v7.0.23...v7.0.52 If it's possible to test image versions immediately before some of these changes it could help us narrow down the issue. We could also try just upgrading minio again and see if it fixes it. |
|
So it is the minio upgrade. Image |
|
Tried bumping to |
|
Nothing really stands out in the minio changelog. Can you file an issue here: https://github.com/minio/minio-go Detailing your auth setup and see if they have insight into what may have changed? |
|
I have found the culprit: Use 1s timeout for fetching imdsv2 token introduced in v7.0.24. Reverting that and building custom tempo image with custom minio-go fixes the issue. |
|
Seems to me as issue in Tempo that surfaced in due to 2 bugfixes made in minio lib: minio/minio-go#1626 and minio/minio-go#1682 I fixed the bug title as it affects the IMDSv1 only. It seems that the same issue appeared and was fixed some time ago in Cortex cortexproject/cortex#4897 |
coufalja
changed the title
|
I backported the Cortex fix in #2760 |
|
Excellent research and fix, @coufalja. Thank you. |
Describe the bug
Tempo does not start with "transparent" AWS credentials (node role). It seems to not take the credentials/role into account at all.
To Reproduce
Steps to reproduce the behavior:
"err":"failed to init module services error initialising module: store: failed to create store unexpected error from ListObjects on <bucket name>: Access Denied"Expected behavior
Tempo connects and starts.
Environment:
Additional Context
*to the node role but no joy.The text was updated successfully, but these errors were encountered: