Setting http_put_response_hop_limit for S3 connection using instanceProfile authentication

Slack Knowledge Base Q&A Connector Questions
, , , ,
1

Summary

When using instanceProfile authentication for the S3 connection in Airbyte, AWS IMDS is used to retrieve credentials. To enable AWS IMDSv2 on the EC2 instance running Airbyte and using abctl to launch it, the http_put_response_hop_limit metadata option needs to be set to 3. The default value is 2 for container environments, but in scenarios like running Kubernetes in Docker through kind, 3 hops may be required. Failing to set it to 3 can result in containers being unable to access the IMDS token endpoint.


Question

Using instanceProfile authentication for the S3 connection actually uses AWS IMDS to get the credentials. If you require AWS IMDSv2 on the EC2 instance that Airbyte is running on, and you’ve used abctl to launch Airbyte, you need to set the http_put_response_hop_limit metadata option for the EC2 instance to 3. The <https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/instancedata-data-retrieval.html#imds-considerations|AWS documentation> suggests a value of 2 for container environments, and I think this is the default if you don’t configure it yourself. I think running Kubernetes in Docker through kind adds another network that the packets must traverse and so 3 hops seem to be required. Having it set to 1 or 2 will fail because the containers can’t access the IMDS token endpoint at all. The command to change this setting for an existing instance is <Modify instance metadata options for existing instances - Amazon Elastic Compute Cloud here>.


This topic has been created from a Slack thread to give it more visibility.
It will be on Read-Only mode here. Click here if you want
to access the original thread.

Join the conversation on Slack

["s3-connection", "instanceprofile-authentication", "aws-imds", "ec2-instance", "abctl", "http_put_response_hop_limit", "aws-documentation", "kubernetes", "docker", "imds-token-endpoint"]