Could not fetch AWS metadata with KIAM

[starchx]

Upgrading Envoy from v.1.9.1-prod to v1.11.1.1-prod breaks the IAM credentials fetch with KIAM. Looking at trace logs from Envoy container:

The initial request was sent to:

http://169.254.169.254:80/latest/meta-data/iam/security-credentials

and it returns by KIAM:

<a href="/latest/meta-data/iam/security-credentials/">Moved Permanently</a>

Then Envoy sent request to this invalid URL by appending the response from KIAM:

[2019-09-22 14:04:02.860][16][trace][misc] [source/extensions/filters/http/common/aws/utility.cc:128] Fetching credentials from http://169.254.169.254:80/latest/meta-data/iam/security-credentials/<a href="/latest/meta-data/iam/security-credentials/">Moved Permanently</a>.
[2019-09-22 14:04:02.860][16][warning][misc] [source/extensions/filters/http/common/aws/utility.cc:133] Could not fetch AWS metadata: HTTP response code said error

Looking into the code:

envoy/source/extensions/filters/http/common/aws/credentials_provider_impl.cc

Line 72 in e349fb6

metadata_fetcher_(EC2_METADATA_HOST, SECURITY_CREDENTIALS_PATH, "");

Will this change fix the issue?

metadata_fetcher_(EC2_METADATA_HOST, SECURITY_CREDENTIALS_PATH, "");

to:

metadata_fetcher_(EC2_METADATA_HOST, std::string(SECURITY_CREDENTIALS_PATH) + "/", "");

[starchx]

Full trace log attached in case it helps:

[2019-09-22 14:03:48.940][1][debug][main] [source/server/server.cc:170] flushing stats
[2019-09-22 14:03:53.941][1][debug][main] [source/server/server.cc:170] flushing stats
[2019-09-22 14:03:58.939][1][debug][main] [source/server/server.cc:170] flushing stats
[2019-09-22 14:04:02.859][1][debug][config] [bazel-out/k8-fastbuild/bin/source/common/config/_virtual_includes/grpc_stream_lib/common/config/grpc_stream.h:43] Establishing new gRPC bidi stream for rpc StreamAggregatedResources(stream .envoy.api.v2.DiscoveryRequest) returns (stream .envoy.api.v2.DiscoveryResponse);

[2019-09-22 14:04:02.859][16][debug][aws] [source/extensions/filters/http/common/aws/credentials_provider_impl.cc:39] Getting AWS credentials from the environment
[2019-09-22 14:04:02.859][16][debug][aws] [source/extensions/filters/http/common/aws/credentials_provider_impl.cc:68] Getting AWS credentials from the instance metadata
[2019-09-22 14:04:02.859][1][trace][config] [source/common/config/grpc_mux_impl.cc:60] Sending DiscoveryRequest for type.googleapis.com/envoy.api.v2.Cluster: node {
  id: "mesh/dj-app/virtualNode/business-logic-deployment-appmesh-prod"
  cluster: "mesh/dj-app/virtualNode/business-logic-deployment-appmesh-prod"
  build_version: "ddc26f5e8ec01d15db8b100c8615de53b4f5d4b3/1.11.1/Clean/DEBUG/BoringSSL"
}
type_url: "type.googleapis.com/envoy.api.v2.Cluster"

[2019-09-22 14:04:02.859][16][trace][misc] [source/extensions/filters/http/common/aws/utility.cc:128] Fetching credentials from http://169.254.169.254:80/latest/meta-data/iam/security-credentials
[2019-09-22 14:04:02.859][1][trace][grpc] [source/common/grpc/google_async_client_impl.cc:206] Queued message to write (244 bytes)
[2019-09-22 14:04:02.859][1][trace][config] [source/common/config/grpc_mux_impl.cc:60] Sending DiscoveryRequest for type.googleapis.com/envoy.api.v2.Listener: node {
  id: "mesh/dj-app/virtualNode/business-logic-deployment-appmesh-prod"
  cluster: "mesh/dj-app/virtualNode/business-logic-deployment-appmesh-prod"
  build_version: "ddc26f5e8ec01d15db8b100c8615de53b4f5d4b3/1.11.1/Clean/DEBUG/BoringSSL"
}
type_url: "type.googleapis.com/envoy.api.v2.Listener"

[2019-09-22 14:04:02.859][1][trace][grpc] [source/common/grpc/google_async_client_impl.cc:206] Queued message to write (245 bytes)
[2019-09-22 14:04:02.860][16][trace][misc] [source/extensions/filters/http/common/aws/utility.cc:93] Appending 78 bytes to metadata
[2019-09-22 14:04:02.860][16][debug][aws] [source/extensions/filters/http/common/aws/credentials_provider_impl.cc:84] AWS credentials list:
<a href="/latest/meta-data/iam/security-credentials/">Moved Permanently</a>.


[2019-09-22 14:04:02.860][16][debug][aws] [source/extensions/filters/http/common/aws/credentials_provider_impl.cc:91] AWS credentials path: /latest/meta-data/iam/security-credentials/<a href="/latest/meta-data/iam/security-credentials/">Moved Permanently</a>.
[2019-09-22 14:04:02.860][16][trace][misc] [source/extensions/filters/http/common/aws/utility.cc:128] Fetching credentials from http://169.254.169.254:80/latest/meta-data/iam/security-credentials/<a href="/latest/meta-data/iam/security-credentials/">Moved Permanently</a>.
[2019-09-22 14:04:02.860][16][warning][misc] [source/extensions/filters/http/common/aws/utility.cc:133] Could not fetch AWS metadata: HTTP response code said error
[2019-09-22 14:04:03.860][16][trace][misc] [source/extensions/filters/http/common/aws/utility.cc:128] Fetching credentials from http://169.254.169.254:80/latest/meta-data/iam/security-credentials/<a href="/latest/meta-data/iam/security-credentials/">Moved Permanently</a>.
[2019-09-22 14:04:03.861][16][warning][misc] [source/extensions/filters/http/common/aws/utility.cc:133] Could not fetch AWS metadata: HTTP response code said error
[2019-09-22 14:04:03.945][1][debug][main] [source/server/server.cc:170] flushing stats
[2019-09-22 14:04:04.861][16][trace][misc] [source/extensions/filters/http/common/aws/utility.cc:128] Fetching credentials from http://169.254.169.254:80/latest/meta-data/iam/security-credentials/<a href="/latest/meta-data/iam/security-credentials/">Moved Permanently</a>.
[2019-09-22 14:04:04.862][16][warning][misc] [source/extensions/filters/http/common/aws/utility.cc:133] Could not fetch AWS metadata: HTTP response code said error
[2019-09-22 14:04:05.864][16][trace][misc] [source/extensions/filters/http/common/aws/utility.cc:128] Fetching credentials from http://169.254.169.254:80/latest/meta-data/iam/security-credentials/<a href="/latest/meta-data/iam/security-credentials/">Moved Permanently</a>.
[2019-09-22 14:04:05.865][16][warning][misc] [source/extensions/filters/http/common/aws/utility.cc:133] Could not fetch AWS metadata: HTTP response code said error
[2019-09-22 14:04:06.865][16][error][aws] [source/extensions/filters/http/common/aws/credentials_provider_impl.cc:96] Could not load AWS credentials document from the instance metadata
[2019-09-22 14:04:06.865][16][debug][aws] [source/extensions/filters/http/common/aws/credentials_provider_impl.cc:179] No AWS credentials found, using anonymous credentials
[2019-09-22 14:04:06.865][14][trace][grpc] [source/common/grpc/google_async_client_impl.cc:50] completionThread CQ event 0 true
[2019-09-22 14:04:06.865][1][trace][grpc] [source/common/grpc/google_async_client_impl.cc:256] handleOpCompletion op=0 ok=true inflight=1
[2019-09-22 14:04:06.866][14][trace][grpc] [source/common/grpc/google_async_client_impl.cc:50] completionThread CQ event 3 true
[2019-09-22 14:04:06.866][1][trace][grpc] [source/common/grpc/google_async_client_impl.cc:241] Write op dispatched
[2019-09-22 14:04:06.866][1][trace][grpc] [source/common/grpc/google_async_client_impl.cc:256] handleOpCompletion op=3 ok=true inflight=2
[2019-09-22 14:04:06.866][14][trace][grpc] [source/common/grpc/google_async_client_impl.cc:50] completionThread CQ event 3 true
[2019-09-22 14:04:06.866][1][trace][grpc] [source/common/grpc/google_async_client_impl.cc:241] Write op dispatched
[2019-09-22 14:04:06.866][1][trace][grpc] [source/common/grpc/google_async_client_impl.cc:256] handleOpCompletion op=3 ok=true inflight=2
[2019-09-22 14:04:06.867][14][trace][grpc] [source/common/grpc/google_async_client_impl.cc:50] completionThread CQ event 1 true
[2019-09-22 14:04:06.867][1][trace][grpc] [source/common/grpc/google_async_client_impl.cc:256] handleOpCompletion op=1 ok=true inflight=1
[2019-09-22 14:04:06.867][14][trace][grpc] [source/common/grpc/google_async_client_impl.cc:50] completionThread CQ event 2 false
[2019-09-22 14:04:06.867][1][trace][grpc] [source/common/grpc/google_async_client_impl.cc:256] handleOpCompletion op=2 ok=false inflight=1
[2019-09-22 14:04:06.867][14][trace][grpc] [source/common/grpc/google_async_client_impl.cc:50] completionThread CQ event 5 true
[2019-09-22 14:04:06.867][1][trace][grpc] [source/common/grpc/google_async_client_impl.cc:256] handleOpCompletion op=5 ok=true inflight=1
[2019-09-22 14:04:06.867][1][debug][grpc] [source/common/grpc/google_async_client_impl.cc:333] Finish with grpc-status code 16
[2019-09-22 14:04:06.867][1][debug][grpc] [source/common/grpc/google_async_client_impl.cc:197] notifyRemoteClose 16
[2019-09-22 14:04:06.867][1][warning][config] [bazel-out/k8-fastbuild/bin/source/common/config/_virtual_includes/grpc_stream_lib/common/config/grpc_stream.h:87] gRPC config stream closed: 16,
[2019-09-22 14:04:06.867][1][debug][config] [source/common/config/grpc_mux_subscription_impl.cc:69] gRPC update for type.googleapis.com/envoy.api.v2.Listener failed
[2019-09-22 14:04:06.867][1][debug][config] [source/common/config/grpc_mux_subscription_impl.cc:69] gRPC update for type.googleapis.com/envoy.api.v2.Cluster failed
[2019-09-22 14:04:06.867][1][debug][grpc] [source/common/grpc/google_async_client_impl.cc:369] Stream cleanup with 0 in-flight tags
[2019-09-22 14:04:06.867][1][debug][grpc] [source/common/grpc/google_async_client_impl.cc:358] Deferred delete
[2019-09-22 14:04:06.867][1][trace][main] [source/common/event/dispatcher_impl.cc:158] item added to deferred deletion list (size=1)
[2019-09-22 14:04:06.867][1][trace][main] [source/common/event/dispatcher_impl.cc:76] clearing deferred deletion list (size=1)
[2019-09-22 14:04:06.867][1][debug][grpc] [source/common/grpc/google_async_client_impl.cc:141] GoogleAsyncStreamImpl destruct
[2019-09-22 14:04:08.942][1][debug][main] [source/server/server.cc:170] flushing stats
[2019-09-22 14:04:13.940][1][debug][main] [source/server/server.cc:170] flushing stats

[mattklein123]

cc @bcelenza ^

[bcelenza]

Thanks @mattklein123 for giving me the heads up, and @starchx for reporting it. I'll have the App Mesh team take a look at this. It appears this bug exists for both our vended image and the upstreamed code to Envoy (it's the same code nowadays).

We can assign this to me for now.

[lavignes]

I think the better long-term fix here is to just enable handling redirects in our curl client. Some metadata endpoints are going to in turn redirect host/path/ back to host/path and we'll end up in a similar situation.

I'll send out a PR shortly.

[lavignes]

Just wanted to update this issue to say that I have included this fix in App Mesh's 1.11.2.0 release of Envoy aws/aws-app-mesh-roadmap#118.

[mikeschuld]

I am seeing this or a very similar issue using 840364872350.dkr.ecr.us-west-2.amazonaws.com/aws-appmesh-envoy:v1.12.1.0-prod to try and set up AppMesh. Could this have regressed? Not a ton of detail coming out in my ECS logs, here's what I am seeing for reference:

2020-02-06 12:14:26[2020-02-06 19:14:26.453][1][warning][config] [bazel-out/k8-fastbuild/bin/source/common/config/_virtual_includes/grpc_stream_lib/common/config/grpc_stream.h:91] gRPC config stream closed: 16,
2020-02-06 12:14:26[2020-02-06 19:14:26.449][12][error][aws] [source/extensions/filters/http/common/aws/credentials_provider_impl.cc:74] Could not retrieve credentials listing from the instance metadata
2020-02-06 12:14:25[2020-02-06 19:14:25.449][12][warning][misc] [source/extensions/filters/http/common/aws/utility.cc:134] Could not fetch AWS metadata: Couldn't connect to server
2020-02-06 12:14:24[2020-02-06 19:14:24.449][12][warning][misc] [source/extensions/filters/http/common/aws/utility.cc:134] Could not fetch AWS metadata: Couldn't connect to server
2020-02-06 12:14:23[2020-02-06 19:14:23.448][12][warning][misc] [source/extensions/filters/http/common/aws/utility.cc:134] Could not fetch AWS metadata: Couldn't connect to server
2020-02-06 12:14:22[2020-02-06 19:14:22.448][12][warning][misc] [source/extensions/filters/http/common/aws/utility.cc:134] Could not fetch AWS metadata: Couldn't connect to server
2020-02-06 12:14:21[2020-02-06 19:14:21.939][1][info][config] [source/server/configuration_impl.cc:72] loading 0 listener(s)
2020-02-06 12:14:21[2020-02-06 19:14:21.939][1][info][config] [source/server/configuration_impl.cc:97] loading tracing configuration
2020-02-06 12:14:21[2020-02-06 19:14:21.939][1][info][config] [source/server/configuration_impl.cc:117] loading stats sink configuration
2020-02-06 12:14:21[2020-02-06 19:14:21.939][1][info][main] [source/server/server.cc:549] starting main dispatch loop
2020-02-06 12:14:21[2020-02-06 19:14:21.938][1][info][upstream] [source/common/upstream/cluster_manager_impl.cc:157] cm init: initializing cds
2020-02-06 12:14:21[2020-02-06 19:14:21.936][1][info][config] [source/server/configuration_impl.cc:62] loading 0 static secret(s)
2020-02-06 12:14:21[2020-02-06 19:14:21.936][1][info][config] [source/server/configuration_impl.cc:68] loading 0 cluster(s)
2020-02-06 12:14:21[2020-02-06 19:14:21.935][1][info][main] [source/server/server.cc:458] runtime: layers:

[lavignes]

Hey @mikeschuld. You could turn up your envoy log level to see if you get anything else. i.e. set ENVOY_LOG_LEVEL=debug on your containers. I'd suspect that your pods can't reach: http://169.254.169.254:80 for some reason. KIAM should be setting up a fake credentials endpoint at that address https://github.com/uswitch/kiam#agent

Perhaps its failing to start the agent?