:wave: <@U12AGS8JG> I have a ktor service that run...
# hoplite
a
👋 @sam I have a ktor service that runs (for now) in ElasticBeanstalk. It's been on hoplite 2.7.5 and I updated to 2.9.0 today. all fine. Then I tried to move from
hoplite-aws
to
hoplite-aws-kotlin
and ran into issues with the credential provider..only in EB.
Copy code
aws.smithy.kotlin.runtime.identity.IdentityProviderException: No identity could be resolved from the chain: CredentialsProviderChain -> SystemPropertyCredentialsProvider -> EnvironmentCredentialsProvider -> ProfileCredentialsProvider -> StsWebIdentityProvider -> EcsCredentialsProvider -> ImdsCredentialsProvider
I switched over to
hoplite-aws2
and all is fine. But I can't figure out what's going on with the kotlin version. Nothing else changed..not my config code or anything about the EB environment. Have you run into this before? We're not planning to stay on EB and I suspect that there's something about accessing roles there that either the hoplite library, or the underlying aws library doesn't like.
c
Of those credentials providers which one should resolve (i.e. where are the credentials), or is it one that isn’t listed? AWS has been working on standardizing (across their various SDKs) how the credential providers work - likely its that difference between the newer Kotlin AWS SDK and older Java SDKs.
btw, have done extensive work with the AWS Kotlin SDK, incl. tweaking credentials providers, etc - though not on EB, so don’t know specifically on that one. The default credentials provider chain (what is listed in that exception) covers all the standard places.
a
We're using the IAM role that is attached to both the EB env and also the EC2 instances. It has all of the permissions necessary..it does work with the other libraries. So according to the AWS sdk docs, I totally expect it to work. And it does with the aws2 library
It's quite odd. I'm not planning on investing a lot of time, as we're moving to ECS soon. But wanted to ask if anyone else had encountered this.
c
Not that familiar with EB - would you know how it exposes the credentials?
This may be helpful: https://docs.aws.amazon.com/elasticbeanstalk/latest/dg/environments-cfg-ec2-imds.html Newer Sdks may not support the older imdsV1; it’s preferable to use imdsV2.
a
I'll check this out on Monday and see if it connects any dots. I don't suggest becoming familiar with EB if you can help it 😂 thanks @Chris Lee
👍 1
c
Good luck! Here is the AWS Kotlin SDK cred provider docs: https://docs.aws.amazon.com/sdk-for-kotlin/latest/developer-guide/credential-providers.html It specifies that only imdsV2 is supported.
a
ok..i'm finally looking into this and our EB environment is set to use IMDSv1, so perhaps that's what's going on. These environments have proven to be a bit fragile, which is why we're moving over to ECS soon. I'm not going to try to move to v2 right now bc of the fragility. But I'll assume this is what's going on. We'll try to switch over the kotlin sdk once we're on ecs. Thanks for your help!
c
@Amy Lashley that’s likely the case as newer AWS SDKs (e.g. Kotlin) have never supported IMDSv1. You’ll be good on ECS - using the AWS Kotlin SDK there in various configurations w/o issue (and previously the Java SDK v2). Good luck on ECS cutover!
🙌 1
s
Glad you figured it out. I tend to avoid the kotlin SDKs as they just seem less mature? Maybe that's just me being paranoid, but there's not enough of a gain in using a kotlin specific library in this case for me to want to use it.
1