Skip to content

snapshot: fetch credentials from EC2IMDS #2

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 3 commits into from
Jun 23, 2025
Merged

snapshot: fetch credentials from EC2IMDS #2

merged 3 commits into from
Jun 23, 2025

Conversation

dejanceltra
Copy link
Contributor

This action relies on AWS_REGION ENV variable provided by cloudinit (EC2 user data).

If aws-actions/configure-aws-credentials is used after this action, AWS action will cleanup all AWS_ ENV variables in post step.

This will result in failed to resolve service endpoint, endpoint rule error, Invalid Configuration: Missing Region errors in runs-on/snapshot post step.

  • There is no simple way to set AWS_REGION after configure-aws-credentials post step.
  • Running configure-aws-credentials before this action generally won't work, since assumed role probably won't have access to RunsOn AWS resources.
  • Without modifying this action, the only possible way is to disable exporting ENV variables from configure-aws-credentials, which would require manually passing outputs of that step to every step that needs AWS credentials, which can be cumbersome.

I suggest that we default to RUNS_ON_AWS_REGION, and if this ENV variable is not set, config.WithRegion will receive empty string, in which case it behaves like before (at least documentation says so.)

Region is determined in a similar way as in runs-on/cache.

Long term, RUNS_ON_AWS_REGION in conjunction with https://github.com/aws/aws-sdk-go-v2/credentials/ec2rolecreds could be used to ensure that EC2 instance profile is used regardless of AWS_ variables and ~/.aws configuration.

@dejanceltra dejanceltra marked this pull request as ready for review June 18, 2025 06:12
@crohr
Copy link
Contributor

crohr commented Jun 20, 2025

@dejanceltra what if we do this, but also simply unset all AWS_ env variables before running this action? So that we can be sure it only uses the local ec2 instance profile?

@dejanceltra dejanceltra changed the title Default to RUNS_ON_AWS_REGION region snapshot: fetch credentials from EC2IMDS Jun 21, 2025
@dejanceltra
Copy link
Contributor Author

dejanceltra commented Jun 21, 2025
edited
Loading

@crohr I've updated the code to fetch credentials and region from IMDS.

From testing, this ignore both ~/.aws and AWS_ ENV variables, so we don't need to unset them.

crohr
crohr reviewed Jun 21, 2025
View reviewed changes
internal/utils/helpers.go Outdated
metaClient := imds.New(imds.Options{})

// We need to explicitly fetch the region from IMDS, since `config.WithEC2IMDSRegion()` relies on local/ENV config.
region, err := metaClient.GetRegion(context, &imds.GetRegionInput{})
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Maybe default to RUNS_ON_AWS_REGION since it's already present on RunsOn runners?

@dejanceltra dejanceltra requested a review from crohr June 23, 2025 07:06
crohr
crohr approved these changes Jun 23, 2025
View reviewed changes
Copy link
Contributor

@crohr crohr left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks!

@crohr crohr merged commit 2ec0deb into runs-on:main Jun 23, 2025
@crohr crohr mentioned this pull request Jul 7, 2025
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@crohr crohr crohr approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@dejanceltra @crohr