英文:
How to authenticate gocql to AWS
问题
我有一个需要连接AWS上的Keyspaces的Go服务。我的pod有一个角色和AWS_SECRET_ACCESS_KEY
、AWS_ACCESS_KEY_ID
和AWS_SESSION_TOKEN
环境变量。
我想使用aws SDK v2。我应该使用哪个凭证提供程序?ec2rolecreds
还是其他的(可能是stscreds
)?
我尝试实现这里的示例。但是我得到了一个错误
no EC2 IMDS role found, operation error ec2imds: GetMetadata, request canceled, context deadline exceeded
我在哪里可以找到可工作的示例和更多解释?
更新
现在我的代码看起来像这样:
awsCfg, err := awsConfig.LoadDefaultConfig(ctx)
if err != nil {
return nil, fmt.Errorf("failed to load AWS config: %w", err)
}
imdsClient := imds.NewFromConfig(awsCfg)
appCreds := aws.NewCredentialsCache(ec2rolecreds.New(func(options *ec2rolecreds.Options) {
options.Client = imdsClient
}))
cluster := gocql.NewCluster(cassandraHost)
auth := sigv4.NewAwsAuthenticator()
auth.SessionToken = value.SessionToken
auth.AccessKeyId = value.AccessKeyID
auth.SecretAccessKey = value.SecretAccessKey
cluster.Authenticator = auth
session, err := cluster.CreateSession()
Retrieve()
返回一个错误
no EC2 IMDS role found, operation error ec2imds: GetMetadata, exceeded maximum number of attempts, 3, request send failed, Get "http://169.254.169.254/latest/meta-data/iam/security-credentials/": dial tcp 169.254.169.254:80: connect: host is down
更新2
在相同的环境中,AWS SDK v1正常工作。因此,物理上AWS端点是可用的。
session, err := aws_sess.NewSession()
if err != nil {
return fmt.Errorf("failed to create AWS session: %w", err)
}
creds := credentialsV1.NewChainCredentials(
[]credentialsV1.Provider{
&credentialsV1.EnvProvider{},
&ec2rolecredsV1.EC2RoleProvider{
Client: ec2metadataV1.New(session),
}})
value, getErr := creds.Get()
英文:
I have a Go service that needs to connect Keyspaces on AWS. My pod has a role and AWS_SECRET_ACCESS_KEY
, AWS_ACCESS_KEY_ID
and AWS_SESSION_TOKEN
env vars.
I want to use aws SDK v2. What credential provider should I use? ec2rolecreds
or other one (maybe stscreds
)?
I tried to implement example from here. But I get an error
no EC2 IMDS role found, operation error ec2imds: GetMetadata, request canceled, context deadline exceeded
Where can I find working example and more explanations?
UPDATE
Now my code looks like this:
awsCfg, err := awsConfig.LoadDefaultConfig(ctx)
if err != nil {
return nil, fmt.Errorf("failed to load AWS config: %w", err)
}
imdsClient := imds.NewFromConfig(awsCfg)
appCreds := aws.NewCredentialsCache(ec2rolecreds.New(func(options *ec2rolecreds.Options) {
options.Client = imdsClient
}))
cluster := gocql.NewCluster(cassandraHost)
auth := sigv4.NewAwsAuthenticator()
auth.SessionToken = value.SessionToken
auth.AccessKeyId = value.AccessKeyID
auth.SecretAccessKey = value.SecretAccessKey
cluster.Authenticator = auth
session, err := cluster.CreateSession()
Retrieve()
returns an error
no EC2 IMDS role found, operation error ec2imds: GetMetadata, exceeded maximum number of attempts, 3, request send failed, Get \"http://169.254.169.254/latest/meta-data/iam/security-credentials/\": dial tcp 169.254.169.254:80: connect: host is down
UPDATE 2
In the same environment AWS SDK v1 works ok. So physically AWS endpoint is available.
session, err := aws_sess.NewSession()
if err != nil {
return fmt.Errorf("failed to create AWS session: %w", err)
}
creds := credentialsV1.NewChainCredentials(
[]credentialsV1.Provider{
&credentialsV1.EnvProvider{},
&ec2rolecredsV1.EC2RoleProvider{
Client: ec2metadataV1.New(session),
}})
value, getErr := creds.Get()
答案1
得分: 2
你的代码片段试图使用EC2实例元数据服务来读取一个IAM角色以供使用。为了使其工作,你需要能够与其通信,并且该角色必须附加到实例上。
你的Go服务是否在EC2实例上运行?如果不是,那就可以解释你的错误。如果是的话,请确保进程或容器具有适当的网络访问权限(例如:网络命名空间),以便与169.254.169.254进行通信。
英文:
no EC2 IMDS role found, operation error ec2imds: GetMetadata, exceeded maximum number of attempts, 3, request send failed, Get \"http://169.254.169.254/latest/meta-data/iam/security-credentials/\": dial tcp 169.254.169.254:80: connect: host is down
Your snippet of code is attempting to use the EC2 instance meta-data service to read an IAM role to use. For that to work, you need to be able to communicate with it, and the role must be attached to the instance.
Is your Go service running on an EC2 instance? If not, that would explain your error. If it is, make sure the process or container has appropriate network access (eg: network namespace) to communicate with 169.254.169.254.
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论