Bug #107491 for Net-Amazon-EC2: Authentication failure with IAM role

On Fri Oct 02 11:22:41 2015, sozturk@ascllc.net wrote: Show quoted text
Thanks for the report - would it be possible to submit a failing test case? I don't ever use IAM authentication so its especially difficult for me to design a test case. Thanks.

If you can explain what you mean by a test case, I might be able to do it. -- Selcuk On 10/2/15 2:46 PM, Mark Allen via RT wrote: Show quoted text

I have pasted a very simple test case at the end of this message. Of course, the point is, this test needs to be run on an instance that has been launched with an IAM role (as explained here: http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-roles-for-amazon-ec2.html), so Net::Amazon::EC2 can obtain the credentials automatically. Also, I think the region needs to be the same region where the instance is running. I think these role based instance credentials are limited to the region they are in. But, I may be wrong on that. When I run the below test on my instance launched with an IAM role allowing all describe type access in us-east-1a, it fails with authentication failure. However, if I just change the 'signature_version = 2', it passes. -- Selcuk On 10/2/15 2:59 PM, Mark Allen via RT wrote: Show quoted text
------- cut use strict; use blib; use Test::More; BEGIN { plan tests => 3; use_ok( 'Net::Amazon::EC2' ); }; my $ec2 = eval { Net::Amazon::EC2->new( region => 'us-east-1', ssl => 1, #debug => 1, signature_version => 4, return_errors => 1, ); }; isa_ok($ec2, 'Net::Amazon::EC2'); my $regions = $ec2->describe_regions(); my $seen_region = 0; if (ref($regions) eq 'Net::Amazon::EC2::Errors') { foreach my $err (@{$regions->errors}) { print $err->message . "\n"; } fail("Describing regions"); } else { foreach my $region (@{$regions}) { if ($region->region_name eq 'us-east-1') { $seen_region = 1; } } ok($seen_region == 1, "Describing regions"); } ------ cut

This bug affects of multiple users of `ec2-consistent-snapshot` who would like to use IAM roles in newer regions where only Signature Version 4 is supported https://github.com/alestic/ec2-consistent-snapshot/issues/76 I'll take a look a the Perl for Net::Amazon::EC2 now to see if anything stands out.

On Fri Dec 30 14:55:39 2016, MARKSTOS wrote: Show quoted text
Thanks for looking at this issue. Sorry - I obviously had forgotten about it! Also, thank you for debugging things this far. I can't remember why but IIRC when I was working on V4 support either the modules that were currently available on CPAN were not compatible with Moose for some reason or were poorly written or both. I have long thought outsourcing the signature work to their own modules would be a nice change but never got around to encapsulating them and making it work. I would definitely welcome a PR implementing that change though, if you feel like working on it. If not, I will try to get it done in the next few weeks. Thanks again! Mark

On Fri Dec 30 14:55:39 2016, MARKSTOS wrote: I have a PR up that I need help testing with https://github.com/mrallen1/net-amazon-ec2/pull/60 Since I don't use IAM roles, it's a bit difficult for me to directly test this code. Any testing help on that front would be great. Thanks.