Skip to content

Set default IMDS timeouts to match AWS SDK #10133

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 7 commits into from
Oct 16, 2020
Merged

Set default IMDS timeouts to match AWS SDK #10133

merged 7 commits into from
Oct 16, 2020

Conversation

@tvoran
Copy link
Member

@tvoran tvoran commented Oct 12, 2020
edited
Loading

Sets timeout and retries on the http client used for connecting to the local instance metadata service (IMDS) to match those in the AWS go SDK: aws/aws-sdk-go#3066

The main motivation for this patch is the slow startup when using auto-unseal on AWS since 1.4, ex:

This essentially shortens the time it takes for the aws sdk to fall back to v1 of the IMDS API, when vault is running in docker on an EC2 instance, and the hop limit on the underlying EC2 instance is set to 1:

Vault would be using those timeout and retry settings already, but the default http client is being overridden in GenerateCredentialChain():

vault/sdk/helper/awsutil/generate_credentials.go

Lines 107 to 117 in 10c0ada

// Add the remote provider
def := defaults.Get()
if c.Region != "" {
def.Config.Region = aws.String(c.Region)
}
if c.HTTPClient != nil {
def.Config.HTTPClient = c.HTTPClient
}
providers = append(providers, defaults.RemoteCredProvider(*def.Config, def.Handlers))

Which then causes this block in the SDK to be skipped:
https://github.com/aws/aws-sdk-go/blob/v1.30.27/aws/ec2metadata/service.go#L75-L87

func NewClient(cfg aws.Config, handlers request.Handlers, endpoint, signingRegion string, opts ...func(*client.Client)) *EC2Metadata {
	if !aws.BoolValue(cfg.EC2MetadataDisableTimeoutOverride) && httpClientZero(cfg.HTTPClient) {
		// If the http client is unmodified and this feature is not disabled
		// set custom timeouts for EC2Metadata requests.
		cfg.HTTPClient = &http.Client{
			// use a shorter timeout than default because the metadata
			// service is local if it is running, and to fail faster
			// if not running on an ec2 instance.
			Timeout: 1 * time.Second,
		}
		// max number of retries on the client operation
		cfg.MaxRetries = aws.Int(2)
	}

Note that this patch skips setting the defaults if either AWS_CONTAINER_CREDENTIALS_FULL_URI or AWS_CONTAINER_CREDENTIALS_RELATIVE_URI is present in the env, because they trigger a different codepath than NewClient(). Those environment variables are checked in the SDK in RemoteCredProvider():
https://github.com/aws/aws-sdk-go/blob/v1.30.27/aws/defaults/defaults.go#L120-L133

@tvoran tvoran requested a review from a team October 12, 2020 21:50
@calvn calvn added this to the 1.6 milestone Oct 14, 2020
@calvn calvn requested a review from briankassouf October 16, 2020 18:05
@tvoran tvoran merged commit 88cef0c into master Oct 16, 2020
@tvoran tvoran deleted the VAULT-564/set-imds-timeouts branch October 16, 2020 22:54
tvoran added a commit that referenced this pull request Oct 16, 2020
@tvoran
Set default IMDS timeouts to match AWS SDK (#10133)
97ffd55
@tvoran tvoran mentioned this pull request Oct 16, 2020
Merged
tvoran added a commit that referenced this pull request Oct 16, 2020
@tvoran
Set default IMDS timeouts to match AWS SDK (#10133)
520514c
@tvoran tvoran mentioned this pull request Oct 16, 2020
Merged
tvoran added a commit that referenced this pull request Oct 16, 2020
@tvoran
Set default IMDS timeouts to match AWS SDK (#10133) (#10167)
5343e11
tvoran added a commit that referenced this pull request Oct 17, 2020
@tvoran
Set default IMDS timeouts to match AWS SDK (#10133) (#10168)
0668169
@tvoran tvoran mentioned this pull request Oct 22, 2020
Merged
@khanhntd khanhntd mentioned this pull request Jun 6, 2022
Merged
@github-actions github-actions bot mentioned this pull request Oct 20, 2025
Closed
4 tasks
JeremiahWork pushed a commit to JeremiahWork/vault that referenced this pull request Nov 21, 2025
@hc-github-team-secure-vault-core @victorr
Add changelog entry for PKI-only certificate counts metrics and API. (h…
7eb9cd5 
…ashicorp#10124) (hashicorp#10132) (hashicorp#10133)

Co-authored-by: Victor Rodriguez <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@briankassouf briankassouf Awaiting requested review from briankassouf

1 more reviewer

@calvn calvn calvn approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

auth/aws core/seal secret/aws

Projects

None yet

Milestone

1.6

Development

Successfully merging this pull request may close these issues.

2 participants

@tvoran @calvn