Skip to content

Deploying into ECS | sessionToken not found #198

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
snssays opened this issue Jan 11, 2024 · 4 comments
Closed

Deploying into ECS | sessionToken not found #198

snssays opened this issue Jan 11, 2024 · 4 comments
Assignees
@4141done

Comments

@snssays
Copy link

snssays commented Jan 11, 2024

Describe the bug
I have deployed the nginx-s3-gateway into AWS ECS container. Gave the ECS Task role the read permissions for the bucket. I am using sigv4 and it requires AWS_SESSION_TOKEN. Apparently ECS Task role doesn't populate AWS_SESSION_TOKEN. It populates only AWS_ACCESS_KEY_ID & AWS_SECRET_ACCESS_KEY. Because of that I am getting 404

To Reproduce
I am following the template you guys provided for ECS

Expected behavior
Session token needs to be populated and access to s3 should happen

Your environment

  • latest-20231222 from dockerhub
  • S3 backend implementation you are using AWS
  • How you are deploying Docker (ECS)
  • NGINX type (OSS)
  • Authentication method ( IAM with Fargate)

Additional context

Jan 11 10:38:06.593
mkdocs-s3-privatelink
at sessionToken (/etc/nginx/include/awscredentials.js:83)

Jan 11 10:38:06.593
mkdocs-s3-privatelink
2024/01/11 16:38:06 [error] 74#74: *15 js exception: TypeError: cannot get property "sessionToken" of undefined

Jan 11 10:38:06.593
mkdocs-s3-privatelink
at s3auth (/etc/nginx/include/s3gateway.js:184)

Jan 11 10:38:06.593
mkdocs-s3-privatelink
at signatureV4 (/etc/nginx/include/awssig4.js:51)
@4141done
Copy link
Collaborator

Thank you for your report. Let me look in to this and get back to you. Would you be able to provide an example of how you are starting the gateway? A redacted settings file or docker run command would be helpful in diagnosing. At first glance it looks like no credentials are present based on the stack trace but I'll need to dig in further. Knowing how configuration is being provided would be helpful.

@snssays
Copy link
Author

snssays commented Jan 12, 2024
edited
Loading

Yes not even access id, session token, security token. None are present. Instead that fetchCredentials method, I couldn't find where it's being called in sigv4.

I am using a fargate with ECS Approach. I used CDK and generated cloud formation template. I made sure that the task role has read/list permissions on bucket and bucket/*. I am not using a settings file, Instead I am using environment variables which are provided in CFTemplate by you guys.

I am using these env variables.

        S3_BUCKET_NAME: mainBucketName,
        S3_SERVER: `s3.${this.region}.amazonaws.com`,
        S3_SERVER_PORT: '443',
        S3_SERVER_PROTO: 'https',
        S3_REGION: this.region,
        S3_STYLE: 'default',
        DEBUG: 'true',
        AWS_SIGS_VERSION: '4',
        ALLOW_DIRECTORY_LIST: 'true',

I am using your nginxinc/nginx-s3-gateway:latest-20231222 image. Using regular docker run <image-name>

@4141done 4141done self-assigned this Jan 12, 2024
@snssays
Copy link
Author

snssays commented Jan 12, 2024

It's working now. My health check path wasn't /health. I overrode it and I believe that was the default.

@4141done
Copy link
Collaborator

Glad to hear it! I'm going to close the issue for now. Please feel free to reopen if you feel there is an issue here. I'll take a look at that code to see if there can be a better error message in this case.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@4141done 4141done

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@4141done @snssays