starred/s3fs-fuse
1
0
Fork 0
mirror of https://github.com/s3fs-fuse/s3fs-fuse.git synced 2026-04-25 13:26:00 +03:00
Code Issues 305 Projects Releases 5 Packages Wiki Activity

[GH-ISSUE #421] s3fs with iam_role uses Profile name where it should use Role name #226

New issue
Closed
opened 2026-03-04 01:43:25 +03:00 by kerem · 1 comment
kerem commented 2026-03-04 01:43:25 +03:00
Owner
Copy link

Originally created by @nturner on GitHub (May 24, 2016).
Original GitHub issue: https://github.com/s3fs-fuse/s3fs-fuse/issues/421

When using an instance with an IAM Role, transient credentials can be found in http://169.254.169.254/latest/meta-data/ at iam/security-credentials/role-name and s3fs tries to do this. However, it is using the profile-name where role-name is needed. In many cases the role and profile name are the same, but they are not always.

The simplest way to find the role name appears to be to GET http://169.254.169.254/latest/meta-data/iam/security-credentials/ itself, which returns a listing of the role names for which temporary credentials exist. (I think there will probably only be one, but we probably want to split on newlines and take the first one here in case that assumption is not valid). This is the approach the AWS SDK appears to use (based on WireShark analysis).

Originally created by @nturner on GitHub (May 24, 2016). Original GitHub issue: https://github.com/s3fs-fuse/s3fs-fuse/issues/421 When using an instance with an IAM Role, transient credentials can be found in http://169.254.169.254/latest/meta-data/ at iam/security-credentials/_role-name_ and s3fs tries to do this. However, it is using the _profile-name_ where _role-name_ is needed. In many cases the role and profile name are the same, but they are not always. The simplest way to find the role name appears to be to GET http://169.254.169.254/latest/meta-data/iam/security-credentials/ itself, which returns a listing of the role names for which temporary credentials exist. (I think there will probably only be one, but we probably want to split on newlines and take the first one here in case that assumption is not valid). This is the approach the AWS SDK appears to use (based on WireShark analysis).
kerem closed this issue 2026-03-04 01:43:25 +03:00
kerem commented 2026-03-04 01:43:26 +03:00
Author
Owner
Copy link

@ggtakec commented on GitHub (May 29, 2016):

@nturner Thanks for your help.
The process getting iam role name has become very simple.:-)
I merged #420 and #422 to master branch.

<!-- gh-comment-id:222335994 --> @ggtakec commented on GitHub (May 29, 2016): @nturner Thanks for your help. The process getting iam role name has become very simple.:-) I merged #420 and #422 to master branch.
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
master
v1.97
v1.96
v1.95
v1.94
v1.93
v1.92
v1.91
v1.90
v1.89
v1.88
v1.87
v1.86
v1.85
v1.84
v1.83
v1.82
v1.81
v1.80
v1.79
v1.78
Pre-v1.78
v1.77
v1.76
v1.75
v1.74
Labels
Clear labels   
bug

   
bug

   
dataloss

   
duplicate

   
enhancement

   
feature request

   
help wanted

   
invalid

   
need info

   
performance

   
pull-request

Mirrored from GitHub Pull Request

  
question

   
question

   
testing
No labels
bug
bug
dataloss
duplicate
enhancement
feature request
help wanted
invalid
need info
performance
pull-request
question
question
testing
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
starred/s3fs-fuse#226
No description provided.