Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add host.docker.internal to ContainerMetadataFetcher list of approved hosts #2515

Closed
benkehoe opened this issue Oct 4, 2021 · 7 comments
Closed

Add host.docker.internal to ContainerMetadataFetcher list of approved hosts #2515

benkehoe opened this issue Oct 4, 2021 · 7 comments
Assignees
@kdaily
Labels
feature-request This issue requests a feature. needs-review This issue or pull request needs review from a core team member. p2 This is a standard priority issue

Comments

@benkehoe
Copy link

benkehoe commented Oct 4, 2021
edited
Loading

ContainerMetadataFetcher currently allows three hosts for container metadata endpoints: 169.254.170.2, localhost, and 127.0.0.1. However, neither localhost or 127.0.0.1 represent the local docker host. Instead, the host's localhost is reachable as host.docker.internal (docs). On Linux, the workaround is to use --network host, but on Mac and Windows this doesn't work (the docker network is always isolated from the host).

host.docker.internal should be added to ContainerMetadataFetcher's list of approved hosts, so that a custom metadata endpoint for testing can be run on the host rather than needing to be run in another container.
@benkehoe benkehoe added the needs-triage This issue or PR still needs to be triaged. label Oct 4, 2021
@kdaily kdaily added feature-request This issue requests a feature. needs-review This issue or pull request needs review from a core team member. and removed needs-triage This issue or PR still needs to be triaged. labels Oct 4, 2021
@kdaily kdaily self-assigned this Oct 4, 2021
@kdaily
Copy link
Member

kdaily commented Oct 4, 2021

Thanks for the request, @benkehoe.

@benkehoe
Copy link
Author

benkehoe commented Oct 4, 2021

Actually, in looking at the other SDKs, an inconsistency is that botocore allows 169.254.170.2 in AWS_CONTAINER_CREDENTIALS_FULL_URI, where at least Go and JavaScript v2 only allow localhost/127.0.0.1 in AWS_CONTAINER_CREDENTIALS_FULL_URI and use 169.254.170.2 only for AWS_CONTAINER_CREDENTIALS_RELATIVE_URI 🤷

@kdaily
Copy link
Member

kdaily commented Oct 4, 2021

I believe that Java (v1) behavior is the same as Go/JavaScript:

https://docs.aws.amazon.com/AWSJavaSDK/latest/javadoc/com/amazonaws/auth/EC2ContainerCredentialsProviderWrapper.html

@benkehoe
Copy link
Author

I have solved this for now in my aws-export-credentials tool by providing an IMDSv2-compatible endpoint; the IMDS endpoint is not subject to the same host checks. I think this issue still stands, though.

@RyanFitzSimmonsAK RyanFitzSimmonsAK added the p2 This is a standard priority issue label Nov 4, 2022
@pmeloche
Copy link

This is still an issue. We are trying to access the credentials URI from a docker container in a production environment and using --network host is not a good practice. And using aws-export-credentials seems a bit overkill to workaround this in our case.
Any chance this issue could pass the needs-review step?

@benkehoe
Copy link
Author

I should note that in addition to aws-export-credentials I made a single-purpose implementation in Go: imds-credential-server

But I'd love to see this host supported in all SDKs

@benkehoe benkehoe mentioned this issue Jul 14, 2023
Open
@benkehoe
Copy link
Author

Changing this to an issue on the cross-SDK repo: aws/aws-sdk#562

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@kdaily kdaily

Labels
feature-request This issue requests a feature. needs-review This issue or pull request needs review from a core team member. p2 This is a standard priority issue
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@kdaily @benkehoe @RyanFitzSimmonsAK @pmeloche