[GH-ISSUE #1762] Error loading IAM role name when using IMDSv2 and auto role #904

New issue

Closed

opened 2026-03-04 01:49:48 +03:00 by kerem · 2 comments

kerem commented

2026-03-04 01:49:48 +03:00

Owner

Originally created by @kamilJ96 on GitHub (Sep 7, 2021).
Original GitHub issue: https://github.com/s3fs-fuse/s3fs-fuse/issues/1762

Additional Information

When the s3fs option is set to either -o iam_role or -o iam_role=auto, s3fs first queries the instance metadata to figure out the IAM role. However, if IMDSv2 is required on the instance, then this query fails with a 401 Unauthorized response. and s3fs terminates This is because an access token hasn't been generated and sent along with the metadata request.

Version of s3fs being used (s3fs --version)

1.90

Version of fuse being used (pkg-config --modversion fuse, rpm -qi fuse, dpkg -s fuse)

2.9.2

s3fs syslog messages (grep s3fs /var/log/syslog, journalctl | grep s3fs, or s3fs outputs)

s3fs.cpp:s3fs_init(3395): could not load IAM role name from meta data.

Details about issue

S3fsCurl::LoadIAMRoleFromMetaData called from s3fs_init -> Does not make use of the S3fsCurl::GetIAMv2ApiToken function to first retrieve a valid access token, and add it to the list of headers.

Originally created by @kamilJ96 on GitHub (Sep 7, 2021). Original GitHub issue: https://github.com/s3fs-fuse/s3fs-fuse/issues/1762 ### Additional Information When the s3fs option is set to either `-o iam_role` or `-o iam_role=auto`, s3fs first queries the instance metadata to figure out the IAM role. However, if IMDSv2 is required on the instance, then this query fails with a `401 Unauthorized` response. and s3fs terminates This is because an access token hasn't been generated and sent along with the metadata request. #### Version of s3fs being used (s3fs --version) `1.90` #### Version of fuse being used (pkg-config --modversion fuse, rpm -qi fuse, dpkg -s fuse) `2.9.2` #### s3fs syslog messages (grep s3fs /var/log/syslog, journalctl | grep s3fs, or s3fs outputs) `s3fs.cpp:s3fs_init(3395): could not load IAM role name from meta data.` ### Details about issue `S3fsCurl::LoadIAMRoleFromMetaData` called from `s3fs_init` -> Does not make use of the `S3fsCurl::GetIAMv2ApiToken` function to first retrieve a valid access token, and add it to the list of headers.

kerem closed this issue

2026-03-04 01:49:48 +03:00

kerem commented

2026-03-04 01:49:49 +03:00

Author

Owner

@gaul commented on GitHub (Sep 7, 2021):

@kamilJ96 Could you test with the latest master which includes #1760? @nmeyerhans

@gaul commented on GitHub (Sep 7, 2021): @kamilJ96 Could you test with the latest master which includes #1760? @nmeyerhans

kerem commented

2026-03-04 01:49:49 +03:00

Author

Owner

@kamilJ96 commented on GitHub (Sep 8, 2021):

@gaul can confirm that it now makes a request to get the access token before querying the IAM role, great work! Thanks @nmeyerhans

There is a separate issue to do with the Expect-100 header, but I'll open another ticket for that, cheers

@kamilJ96 commented on GitHub (Sep 8, 2021): @gaul can confirm that it now makes a request to get the access token before querying the IAM role, great work! Thanks @nmeyerhans There is a separate issue to do with the Expect-100 header, but I'll open another ticket for that, cheers

kerem referenced this issue

2026-03-04 02:01:41 +03:00

[PR #904] [MERGED] Remove unnecessary calls to std::string::c_str #1686