AWS SDK .NET, how do I access s3 through a privatelink using the ec2 imdsv2

62 views Asked by At

I am having trouble accessing the ec2 iamRole in order to access the privatelinked s3 bucket. There is a proxy which made things complicated until I realized that I was getting the proxy's iamRole. And when I realized that I also realized that the reason InstanceProfileAWSCredentials was throwing a 401 error was because it was trying to get the metadata without a token. Or at least this is what I think is the issue.

imdsv2 locks the metadata behind a token which can be gotten and used as follows

TOKEN=`curl -X PUT "http://169.254.169.254/latest/api/token" -H "X-aws-ec2-metadata-token-ttl-seconds: 21600"`
curl -H "X-aws-ec2-metadata-token: $TOKEN" -v http://169.254.169.254/latest/meta-data/iam/info

If I try the curl without the token I get a 401 Unauthorized error, the same error I get with the InstanceProfileAWSCredentials call. Whereas aws cli works just perfectly and automatically.

The code I am using to try to download the s3 file is as below.

Amazon.S3.AmazonS3Config S3config = new Amazon.S3.AmazonS3Config();
S3config.ServiceURL = "http://s3.region.amazonaws.com";
S3config.SetWebProxy(new System.Net.WebProxy()); //PrivateLink no proxy needed

var credentials = new Amazon.Runtime.InstanceProfileAWSCredentials(new System.Net.WebProxy());
# breaks here

Amazon.S3.AmazonS3Client _S3 = new Amazon.S3.AmazonS3Client(credentials, S3config);
Amazon.S3.Model.GetObjectResponse response = await _S3.GetObjectAsync(context.Bucket, context.Key);
# or here

But I cannot find a way to get that token and to use it with the AWS SDK. I imagined it would automatic as per https://repost.aws/questions/QUOZ3ir9juQAaH35gmZec_GQ/imdsv2-and-aws-cli-commands

This is not generally needed for normal usage of the AWS CLI or SDKs, which handle this automatically.

but if it throws a 401 error it doesn't seem like it is. What is the workaround for this? All I need is to get the iamRole from the ec2 metadata and use that to access the s3 bucket.

UPDATE: If I manually add the role name to the InstanceProfileAWSCredentials("MyRole") it passes that method and then I get the same 401 error when trying to access the s3 bucket. I am thinking the s3 client is probably trying to access with just the name and not a token from that role.

1

There are 1 answers

0
Ranald Fong On BEST ANSWER

Thank you jarmod. That was the answer. I was troubleshooting some other projects code where the SDK was an older version where I guess it did not work with IMDS v2. After updating all of the AWS SDK's and Newtonsoft JSON, I got past that issue and the SDK was able to get the imds v2 role and therefore accessid, secretkey, and token. Thank you.