Better error handling for AWS token fetching (#884)

basepi · web-flow · commit d137d988a044 · 2020-07-09T17:29:04.000-06:00
* Better error handling for AWS token fetching

It turns out for docker containers on AWS elastic beanstalk, the PUT for the
token fails, and fails slowly. This is not the case for the ec2 host on which
the docker container is running. This was causing issues, compounded by the
fact that I didn't have `retries=False` on that call.

* Add changelog

* Add comments about IMDSv2
diff --git a/CHANGELOG.asciidoc b/CHANGELOG.asciidoc
@@ -42,6 +42,7 @@ endif::[]
 ===== Bug fixes
 
 * Updated CLOUD_PROVIDER config to allow for new options defined in https://github.com/elastic/apm/issues/289[#289] {pull}878[#878]
+* Fixed a bug in AWS metadata collection on docker containers in AWS Elastic Beanstalk {pull}884[#884]
 
 
 [[release-notes-5.x]]
diff --git a/elasticapm/utils/cloud.py b/elasticapm/utils/cloud.py
@@ -47,17 +47,26 @@ def aws_metadata():
         # and will be quiet in the logs, unlike urllib3
         socket.create_connection(("169.254.169.254", 80), 0.1)
 
-        ttl_header = {"X-aws-ec2-metadata-token-ttl-seconds": "300"}
-        token_url = "http://169.254.169.254/latest/api/token"
-        token_request = http.request("PUT", token_url, headers=ttl_header, timeout=3.0)
-        token = token_request.data.decode("utf-8")
-        aws_token_header = {"X-aws-ec2-metadata-token": token} if token else {}
+        try:
+            # This whole block is almost unnecessary. IMDSv1 will be supported
+            # indefinitely, so the only time this block is needed is if a
+            # security-conscious user has set the metadata service to require
+            # IMDSv2. Thus, the very expansive try:except: coverage.
+
+            # TODO: should we have a config option to completely disable IMDSv2 to reduce overhead?
+            ttl_header = {"X-aws-ec2-metadata-token-ttl-seconds": "300"}
+            token_url = "http://169.254.169.254/latest/api/token"
+            token_request = http.request("PUT", token_url, headers=ttl_header, timeout=1.0, retries=False)
+            token = token_request.data.decode("utf-8")
+            aws_token_header = {"X-aws-ec2-metadata-token": token} if token else {}
+        except Exception:
+            aws_token_header = {}
         metadata = json.loads(
             http.request(
                 "GET",
                 "http://169.254.169.254/latest/dynamic/instance-identity/document",
                 headers=aws_token_header,
-                timeout=3.0,
+                timeout=1.0,
                 retries=False,
             ).data.decode("utf-8")
         )
@@ -94,7 +103,7 @@ def gcp_metadata():
                 "GET",
                 "http://metadata.google.internal/computeMetadata/v1/?recursive=true",
                 headers=headers,
-                timeout=3.0,
+                timeout=1.0,
                 retries=False,
             ).data.decode("utf-8")
         )
@@ -135,7 +144,7 @@ def azure_metadata():
                 "GET",
                 "http://169.254.169.254/metadata/instance/compute?api-version=2019-08-15",
                 headers=headers,
-                timeout=3.0,
+                timeout=1.0,
                 retries=False,
             ).data.decode("utf-8")
         )
