Uploaded image for project: 'Dev - Nexus Repo'
  1. Dev - Nexus Repo
  2. NEXUS-30942

Support IMDS v2 for AWS S3

    Details

    • Type: Improvement
    • Status: Closed
    • Priority: Major
    • Resolution: Not A Bug
    • Affects Version/s: 3.36.0
    • Fix Version/s: None
    • Component/s: S3
    • Labels:
    • Notability:
      3

      Description

      On an EC2 instance, NXRM3 is having problems connecting to S3 buckets when IMDSv2 is exclusively enabled (no IMDSv1)

      2022-01-18 15:50:24,391+0000 WARN  [FelixStartLevel]  SYSTEM com.amazonaws.util.EC2MetadataUtils - Unable to retrieve the requested metadata (/latest/dynamic/instance-identity/document). Unauthorized (Service: null; Status Code: 401; Error Code: null; Request ID: null; Proxy: null)
      2022-01-18 15:50:24,391+0000 WARN [FelixStartLevel] SYSTEM com.amazonaws.util.EC2MetadataUtils - Unable to retrieve the requested metadata (/latest/dynamic/instance-identity/document). Unauthorized (Service: null; Status Code: 401; Error Code: null; Request ID: null; Proxy: null)com.amazonaws.AmazonServiceException: Unauthorized (Service: null; Status Code: 401; Error Code: null; Request ID: null; Proxy: null)
       at com.amazonaws.internal.EC2ResourceFetcher.handleErrorResponse(EC2ResourceFetcher.java:149)
       at com.amazonaws.internal.EC2ResourceFetcher.doReadResource(EC2ResourceFetcher.java:94)
       at com.amazonaws.internal.EC2ResourceFetcher.doReadResource(EC2ResourceFetcher.java:70)
       at com.amazonaws.internal.InstanceMetadataServiceResourceFetcher.readResource(InstanceMetadataServiceResourceFetcher.java:75)
       at com.amazonaws.internal.EC2ResourceFetcher.readResource(EC2ResourceFetcher.java:66)
       at com.amazonaws.util.EC2MetadataUtils.getItems(EC2MetadataUtils.java:402)
       at com.amazonaws.util.EC2MetadataUtils.getData(EC2MetadataUtils.java:371)
       at com.amazonaws.util.EC2MetadataUtils.getData(EC2MetadataUtils.java:367)
       at com.amazonaws.util.EC2MetadataUtils.getEC2InstanceRegion(EC2MetadataUtils.java:282)
       at com.amazonaws.regions.InstanceMetadataRegionProvider.tryDetectRegion(InstanceMetadataRegionProvider.java:59)
       at com.amazonaws.regions.InstanceMetadataRegionProvider.getRegion(InstanceMetadataRegionProvider.java:50)
       at com.amazonaws.regions.AwsRegionProviderChain.getRegion(AwsRegionProviderChain.java:46)
       at com.amazonaws.client.builder.AwsClientBuilder.determineRegionFromRegionProvider(AwsClientBuilder.java:475)
       at com.amazonaws.client.builder.AwsClientBuilder.setRegion(AwsClientBuilder.java:458)
       at com.amazonaws.client.builder.AwsClientBuilder.configureMutableProperties(AwsClientBuilder.java:424)
       at com.amazonaws.client.builder.AwsSyncClientBuilder.build(AwsSyncClientBuilder.java:46)
       at org.sonatype.nexus.blobstore.s3.internal.AmazonS3Factory.create(AmazonS3Factory.java:145)
       at org.sonatype.nexus.blobstore.s3.internal.S3BlobStore.doInit(S3BlobStore.java:569)
       at org.sonatype.nexus.blobstore.BlobStoreSupport.init(BlobStoreSupport.java:243)
      

      Expected

      Since customers may decide to eliminate any exposure to the potential vulnerability of IMDSv1 by disabling it entirely, NXRM3 should be able to authenticate and create an S3 client using IMDSv2.

        Attachments

          Activity

            People

            Assignee:
            Unassigned Unassigned
            Reporter:
            dkane Daniel Kane
            CC:
            Jitendra Rai
            Last Updated By:
            Vijay Swaminathan Vijay Swaminathan
            Votes:
            0 Vote for this issue
            Watchers:
            5 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved:
              Date of First Response:

                tigCommentSecurity.panel-title