Possibility to reduce the number of IMDSv2 token calls?

[stefansundin]

Hello everyone. I recently published my first public Rust program and I'm using the AWS SDK.

I'm using IMDSv2 to get:

1. The EC2 instance's region.
2. The EC2 instance's instance id.
3. Credentials.

Each one of these perform a call to get an IMDSv2 token. They should be able to use the same one (which is what I would have done in an equivalent bash script, for example).

Is it possible to somehow supply a token manually? If there isn't, can such a feature be added? And I don't think it is possible to retrieve the cached token from one of the requests above, which would be needed to pass it on.

Here's an issue I filed for myself that has links to the code snippets in my repository: stefansundin/bottlerocket-bootstrap-associate-eip#1.

Here's some of the code I use:

let region_provider = aws_config::imds::region::ImdsRegionProvider::builder().build(); 
let region = region_provider.region().await;

let imds_client = aws_config::imds::client::Client::builder() 
  .build() 
  .await 
  .expect("could not initialize the IMDS client"); 
 
let instance_id = imds_client 
  .get("/latest/meta-data/instance-id") 
  .await 
  .expect("could not get the instance ID from IMDS"); 

let shared_config = aws_config::from_env()
  .credentials_provider(aws_config::imds::credentials::ImdsCredentialsProvider::builder().build())
  .region(region)
  .load()
  .await;
let ec2_client = aws_sdk_ec2::Client::new(&shared_config);

Check out version 0.1.0 of the program for simpler code (just 59 lines) than version 0.2.0: https://github.com/stefansundin/bottlerocket-bootstrap-associate-eip/blob/v0.1.0/src/main.rs

Thank you!

[jdisanti]

I think the reason it's not caching is because each individual IMDS Client maintains its own token cache. You can construct the IMDS client once, and then pass it into the ImdsRegionProvider and ImdsCredentialsProvider builders.

Note: the aws-config defaults already use IMDS to retrieve region and credentials, so this extra configuration code isn't necessary unless you're trying to prohibit other methods of discovering them.

[stefansundin]

Thanks! It appears that this works. Is this the correct way to do it (i.e. with .clone())?

I guess even though I'm cloning it, somehow there's a backing data structure that's shared? Because I'm not performing a request before I clone it the first time (I considered moving the retrieval of instance_id before the first .clone() but it doesn't appear to matter).

  let imds_client = aws_config::imds::client::Client::builder()
    .build()
    .await
    .expect("could not initialize the IMDS client");

  let region_provider = aws_config::imds::region::ImdsRegionProvider::builder()
    .imds_client(imds_client.clone())
    .build();

  let instance_id = imds_client
    .get("/latest/meta-data/instance-id")
    .await
    .expect("could not get the instance ID from IMDS");

  let credentials_provider = aws_config::imds::credentials::ImdsCredentialsProvider::builder()
    .imds_client(imds_client.clone())
    .build();

I guess I didn't realize that the region is loaded automatically. I'm used to the aws cli giving me an error if I don't provide a region, and I don't recall that the Go SDK does this but I may be mistaken.

Another problem that I just realized is that specifying the SdkConfig to only use the IMDS credentials provider using .credentials_provider(aws_config::imds::credentials::ImdsCredentialsProvider::builder().build()) causes it to query IMDS for credentials on every API call. I expected the client to cache the credentials until they expire. And it seems like the .credentials() method is private so there is no way for me to use ImdsCredentialsProvider to retrieve the credentials in order to then construct a static credentials object with those credentials.

I guess one fix for this problem is to, as you say, not explicitly specify where to pull the credentials from. I want to avoid accidentally pulling credentials from the ~/.aws/credentials, since this program should only run on EC2 instances. Is there another way to avoid this problem other than not configuring the credentials provider?

Thanks for the help!

[jdisanti]

Is this the correct way to do it (i.e. with .clone())?

The client clones are a simple Arc reference counter increment, so that's perfectly fine!

Another problem that I just realized is that specifying the SdkConfig to only use the IMDS credentials provider using .credentials_provider(aws_config::imds::credentials::ImdsCredentialsProvider::builder().build()) causes it to query IMDS for credentials on every API call.

This seems like a bug to me. I think all the credential providers should automatically cache when set explicitly, but it's definitely not the case currently (I think only AssumeRoleCredentialsProvider currently does this). I filed #629 to address this.

In the meantime, you can manually wrap the provider in LazyCachingCredentialsProvider to make it cache.

Is there another way to avoid this problem other than not configuring the credentials provider?

I think overriding the default credentials provider chain is the only way to do this.

[stefansundin]

I think you've solved all of my questions. Thank you!

[github-actions[bot]]

Hello! Reopening this discussion to make it searchable.