Skip to content

Metadata Service call does not support Proxy #1830

New issue
New issue
Open
Open
Metadata Service call does not support Proxy#1830
Labels
feature-requestA feature should be added or improved.p1This is a high priority issueproxyThis issue is related to a proxy configuration
@sybeck2k

Description

@sybeck2k
sybeck2k
opened on May 13, 2020

Describe the bug

The EC2 Metadata service API call does not allow for configuration of a Proxy. This is required for example for Kube2Iam to work in Proxy mode.

Expected Behavior

The ConnectionUtils should be able to support a proxy - ideally should be replaced with the standard ApacheHttpClient.

Current Behavior

Configuring a Proxy in ApacheHttpClient does not affect ConnectionUtils:

2020-05-13 11:05:57,971 main DEBUG LoggerContext[name=77556fd, org.apache.logging.log4j.core.LoggerContext@f1da57d] started OK.
2020-05-13 11:05:58 [main] DEBUG software.amazon.awssdk.regions.providers.AwsRegionProviderChain:57 - Unable to load region from software.amazon.awssdk.regions.providers.SystemSettingsRegionProvider@89c10b7:Unable to load region from system settings. Region must be specified either via environment variable (AWS_REGION) or  system property (aws.region).
2020-05-13 11:05:58 [main] DEBUG software.amazon.awssdk.http.apache.ApacheHttpClient:84 - Configuring Proxy. Proxy Host: 10.0.0.1
Exception in thread "main" software.amazon.awssdk.core.exception.SdkClientException: Unable to load credentials from service endpoint.
	at software.amazon.awssdk.core.exception.SdkClientException$BuilderImpl.build(SdkClientException.java:98)
	at software.amazon.awssdk.auth.credentials.HttpCredentialsProvider.refreshCredentials(HttpCredentialsProvider.java:110)
	at software.amazon.awssdk.utils.cache.CachedSupplier.refreshCache(CachedSupplier.java:132)
	at software.amazon.awssdk.utils.cache.CachedSupplier.get(CachedSupplier.java:89)

Steps to Reproduce

With Kube2Iam in Proxy mode, and the SDK configured to use InstanceProfileCredentialsProvider, do any call to any service, for example:

        ProxyConfiguration.Builder proxyConfig = ProxyConfiguration.builder();

        ApacheHttpClient.Builder httpClientBuilder =
                ApacheHttpClient.builder()
                        .proxyConfiguration(proxyConfig
                                .addNonProxyHost("*.amazonaws.com,<KUBE_API_IP>:443")
                                .endpoint(new URI("http://<HOST_IP>:8181"))
                                .build());

        ClientOverrideConfiguration.Builder overrideConfig =
                ClientOverrideConfiguration.builder();
        StsClient stsClient = StsClient.builder()
                .httpClientBuilder(httpClientBuilder)
                .overrideConfiguration(overrideConfig.build())
                .credentialsProvider(InstanceProfileCredentialsProvider.builder().build())
                .build();
        stsClient.getCallerIdentity();

will fail.

Possible Solution

Replace ConnectionUtils with the standard ApacheHttpClient. ConnectionUtils is currently used only for the metadata calls.

Context

Kube2Iam in Proxy mode in Openshift 4

Your Environment

  • AWS Java SDK version used: 2.13.13
  • JDK version used: jdk-11.0.6
  • Operating System and version: Debian Linux 8.0

Metadata

Metadata

Assignees

No one assigned

    Labels

    feature-requestA feature should be added or improved.p1This is a high priority issueproxyThis issue is related to a proxy configuration

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions