[Bug] eksctl no EC2 IMDS role found, operation error ec2imds while running in docker container

Question

[Bug] eksctl no EC2 IMDS role found, operation error ec2imds while running in docker container

Opened this issue a month ago · 2 comments

cantonnetwork-infstones commented a month ago

What were you trying to accomplish?

Any eksctl get command fails. Did not test other commands. This works well on the same EC2 instance where we are running the docker container.

eksctl get iamserviceaccount --cluster <cluster-name>  # or any iamserviceaccount command

Expected Output:

app-ns		app		arn:aws:iam::xxxxx:role/xyz

What happened?

Any eksctl version higher than v0.185.0 does not work in a container while v0.185.0 works. We get the below error for anything above v0.185.0

Error: could not create cluster provider from options: checking AWS STS access – cannot get role ARN for current session: operation error STS: GetCallerIdentity, get identity: get credentials: failed to refresh cached credentials, operation error STS: AssumeRole, get identity: get credentials: failed to refresh cached credentials, no EC2 IMDS role found, operation error ec2imds: GetMetadata, canceled, context deadline exceeded

The following command does give proper output

aws sts get-caller-identity
{
    "UserId": "AROATxxxxxx:botocore-session-12345",
    "Account": "123456",
    "Arn": "arn:aws:sts::123456:assumed-role/xxxx/botocore-session-12345"
}

How to reproduce it?

To reproduce run any version of eksctl above v0.185.0 in a docker container.

~/aws/config is configured as follows

[default]
region = us-east-1

~/.aws/credentials is configured as follows

[app-01]
region=us-east-1
role_arn=arn:aws:iam::12345:role/app-01
credential_source=Ec2InstanceMetadata
duration_seconds=3600

export AWS_PROFILE=app-01

eksctl get iamserviceaccount --cluster xyz

Logs

eksctl get iamserviceaccount --cluster xyz -v4
2024-10-25 03:57:15 [▶]  Setting credentials expiry window to 30 minutes
2024-10-25 03:57:15 [▶]  Setting credentials expiry window to 30 minutes
Error: could not create cluster provider from options: checking AWS STS access – cannot get role ARN for current session: operation error STS: GetCallerIdentity, get identity: get credentials: failed to refresh cached credentials, operation error STS: AssumeRole, get identity: get credentials: failed to refresh cached credentials, no EC2 IMDS role found, operation error ec2imds: GetMetadata, canceled, context deadline exceeded

Anything else we need to know?

OS: ubuntu 22.04 (both docker and ec2)
Downloaded the binary using the official documentation

Versions

$ eksctl info

eksctl version: 0.194.0
kubectl version: v1.31.2
OS: linux

Answer 1 · 2024-10-25T04:01:25.000Z

Hello cantonnetwork-infstones 👋 Thank you for opening an issue in eksctl project. The team will review the issue and aim to respond within 1-5 business days. Meanwhile, please read about the Contribution and Code of Conduct guidelines here. You can find out more information about eksctl on our website

Answer 2 · 2024-11-05T15:37:04.000Z

Any update on this?