boto3 从 EC2 实例连接到机密管理器,但在 IMDSv2 需要升级后无法从 docker 容器内部连接
boto3 connects from EC2 instance to secrets manager but unable to connect from inside docker container after IMDSv2 required upgrade
boto3 使用以下命令从 EC2 实例连接 returns 结果。
session = boto3.session.Session()
client = session.client(service_name = 'secretmanager', region_name = 'us-east-1')
get_secret_value_response = client.get_secret_value(secretId = secret_name)
但是,当我从部署在 EC2 实例上的 docker 容器中 运行 同一组命令时,它会失败并显示无凭据错误。 EC2 实例附加了一个 IAM 角色,以便能够从机密管理器中获取密码。
听起来你需要 increase the hop limit。
What are hops, and why are they significant?
To ensure IP packets have a limited lifetime on the network, all IP
packets have an 8 bit Time to Live (IPv4) or Hop Limit (IPv6) header
field and value which specifies the maximum number of layer three hops
(typically routers) that can be traversed on the path to their
destination.
Each time the packet arrives at a layer three network device (a Hop),
the value is reduced by one before it gets routed onward. When the
value eventually reaches one, the packet gets discarded by the device
that receives it (as the value would get reduced to zero).
So the docker networking layer will just drop the response from IMDSv2
calls!
We now increase the hop count using the following command.
aws ec2 modify-instance-metadata-options --instance-id i-XXXXXXXXXXXX --http-put-response-hop-limit 3
By default, the response to PUT requests has a response hop limit
(time to live) of 1 at the IP protocol level. You can adjust the hop
limit using the modify-instance-metadata-options command if you need
to make it larger. For example, you might need a larger hop limit for
backward compatibility with container services running on the
instance. For more information, see modify-instance-metadata-options
in the AWS CLI Command Reference.
boto3 使用以下命令从 EC2 实例连接 returns 结果。
session = boto3.session.Session()
client = session.client(service_name = 'secretmanager', region_name = 'us-east-1')
get_secret_value_response = client.get_secret_value(secretId = secret_name)
但是,当我从部署在 EC2 实例上的 docker 容器中 运行 同一组命令时,它会失败并显示无凭据错误。 EC2 实例附加了一个 IAM 角色,以便能够从机密管理器中获取密码。
听起来你需要 increase the hop limit。
What are hops, and why are they significant?
To ensure IP packets have a limited lifetime on the network, all IP packets have an 8 bit Time to Live (IPv4) or Hop Limit (IPv6) header field and value which specifies the maximum number of layer three hops (typically routers) that can be traversed on the path to their destination.
Each time the packet arrives at a layer three network device (a Hop), the value is reduced by one before it gets routed onward. When the value eventually reaches one, the packet gets discarded by the device that receives it (as the value would get reduced to zero).
So the docker networking layer will just drop the response from IMDSv2 calls!
We now increase the hop count using the following command.
aws ec2 modify-instance-metadata-options --instance-id i-XXXXXXXXXXXX --http-put-response-hop-limit 3
By default, the response to PUT requests has a response hop limit (time to live) of 1 at the IP protocol level. You can adjust the hop limit using the modify-instance-metadata-options command if you need to make it larger. For example, you might need a larger hop limit for backward compatibility with container services running on the instance. For more information, see modify-instance-metadata-options in the AWS CLI Command Reference.