如何将gocql身份验证到AWS

huangapple go评论72阅读模式
英文:

How to authenticate gocql to AWS

问题

我有一个需要连接AWS上的Keyspaces的Go服务。我的pod有一个角色和AWS_SECRET_ACCESS_KEYAWS_ACCESS_KEY_IDAWS_SESSION_TOKEN环境变量。

我想使用aws SDK v2。我应该使用哪个凭证提供程序?ec2rolecreds还是其他的(可能是stscreds)?

我尝试实现这里的示例。但是我得到了一个错误

no EC2 IMDS role found, operation error ec2imds: GetMetadata, request canceled, context deadline exceeded

我在哪里可以找到可工作的示例和更多解释?

更新

现在我的代码看起来像这样:

awsCfg, err := awsConfig.LoadDefaultConfig(ctx)
if err != nil {
	return nil, fmt.Errorf("failed to load AWS config: %w", err)
}

imdsClient := imds.NewFromConfig(awsCfg)

appCreds := aws.NewCredentialsCache(ec2rolecreds.New(func(options *ec2rolecreds.Options) {
		options.Client = imdsClient
}))
cluster := gocql.NewCluster(cassandraHost)

auth := sigv4.NewAwsAuthenticator()
auth.SessionToken = value.SessionToken
auth.AccessKeyId = value.AccessKeyID
auth.SecretAccessKey = value.SecretAccessKey

cluster.Authenticator = auth

session, err := cluster.CreateSession()

Retrieve()返回一个错误

no EC2 IMDS role found, operation error ec2imds: GetMetadata, exceeded maximum number of attempts, 3, request send failed, Get "http://169.254.169.254/latest/meta-data/iam/security-credentials/": dial tcp 169.254.169.254:80: connect: host is down

更新2

在相同的环境中,AWS SDK v1正常工作。因此,物理上AWS端点是可用的。


session, err := aws_sess.NewSession()
if err != nil {
	return fmt.Errorf("failed to create AWS session: %w", err)
}

creds := credentialsV1.NewChainCredentials(
	[]credentialsV1.Provider{
		&credentialsV1.EnvProvider{},
		&ec2rolecredsV1.EC2RoleProvider{
			Client: ec2metadataV1.New(session),
	}})

value, getErr := creds.Get()
英文:

I have a Go service that needs to connect Keyspaces on AWS. My pod has a role and AWS_SECRET_ACCESS_KEY, AWS_ACCESS_KEY_ID and AWS_SESSION_TOKEN env vars.

I want to use aws SDK v2. What credential provider should I use? ec2rolecreds or other one (maybe stscreds)?

I tried to implement example from here. But I get an error

no EC2 IMDS role found, operation error ec2imds: GetMetadata, request canceled, context deadline exceeded

Where can I find working example and more explanations?

UPDATE

Now my code looks like this:

awsCfg, err := awsConfig.LoadDefaultConfig(ctx)
if err != nil {
	return nil, fmt.Errorf("failed to load AWS config: %w", err)
}

imdsClient := imds.NewFromConfig(awsCfg)

appCreds := aws.NewCredentialsCache(ec2rolecreds.New(func(options *ec2rolecreds.Options) {
		options.Client = imdsClient
}))
cluster := gocql.NewCluster(cassandraHost)

auth := sigv4.NewAwsAuthenticator()
auth.SessionToken = value.SessionToken
auth.AccessKeyId = value.AccessKeyID
auth.SecretAccessKey = value.SecretAccessKey

cluster.Authenticator = auth

session, err := cluster.CreateSession()

Retrieve() returns an error

no EC2 IMDS role found, operation error ec2imds: GetMetadata, exceeded maximum number of attempts, 3, request send failed, Get \"http://169.254.169.254/latest/meta-data/iam/security-credentials/\": dial tcp 169.254.169.254:80: connect: host is down

UPDATE 2

In the same environment AWS SDK v1 works ok. So physically AWS endpoint is available.


session, err := aws_sess.NewSession()
if err != nil {
	return fmt.Errorf("failed to create AWS session: %w", err)
}

creds := credentialsV1.NewChainCredentials(
	[]credentialsV1.Provider{
		&credentialsV1.EnvProvider{},
		&ec2rolecredsV1.EC2RoleProvider{
			Client: ec2metadataV1.New(session),
	}})

value, getErr := creds.Get()

答案1

得分: 2

你的代码片段试图使用EC2实例元数据服务来读取一个IAM角色以供使用。为了使其工作,你需要能够与其通信,并且该角色必须附加到实例上。

你的Go服务是否在EC2实例上运行?如果不是,那就可以解释你的错误。如果是的话,请确保进程或容器具有适当的网络访问权限(例如:网络命名空间),以便与169.254.169.254进行通信。

英文:

no EC2 IMDS role found, operation error ec2imds: GetMetadata, exceeded maximum number of attempts, 3, request send failed, Get \"http://169.254.169.254/latest/meta-data/iam/security-credentials/\": dial tcp 169.254.169.254:80: connect: host is down

Your snippet of code is attempting to use the EC2 instance meta-data service to read an IAM role to use. For that to work, you need to be able to communicate with it, and the role must be attached to the instance.

Is your Go service running on an EC2 instance? If not, that would explain your error. If it is, make sure the process or container has appropriate network access (eg: network namespace) to communicate with 169.254.169.254.

huangapple
  • 本文由 发表于 2022年2月8日 02:45:04
  • 转载请务必保留本文链接:https://go.coder-hub.com/71023790.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定