时间戳

首页 > 解决方案 > AWS APP MESH ENVOY sidecar [错误] 无法从实例元数据中检索凭证列表

amazon-web-services - AWS APP MESH ENVOY sidecar [错误] 无法从实例元数据中检索凭证列表

问题描述

我将 AWS App Mesh 与 ECS Fargate 一起使用。不幸的是,在特使边车的日志中,我看到如下错误:

[error][aws] [source/extensions/common/aws/credentials_provider_impl.cc:94] Could not retrieve credentials listing from the instance metadata

[1][warning][config] [bazel-out/k8-opt/bin/source/common/config/_virtual_includes/grpc_stream_lib/common/config/grpc_stream.h:93] StreamAggregatedResources gRPC config stream closed: 16, Missing Authentication Token

权限:AWSAppMeshFullAccess

我已经查看了AWS App Mesh 用户指南

{

 "name" : "envoy",
 "image" : "840364872350.dkr.ecr.us-west-2.amazonaws.com/aws-appmeshenvoy:v1.15.1.0-prod",
 "essential" : true,
 "environment" : [
 {
 "name" : "APPMESH_VIRTUAL_NODE_NAME",
 "value" : "mesh/apps/virtualNode/serviceB"
 },
 {
 "name": "ENABLE_ENVOY_XRAY_TRACING",
 "value": "1"
 }
 ],
 "healthCheck" : {
 "command" : [
 "CMD-SHELL",
 "curl -s http://localhost:9901/server_info | grep state | grep -q LIVE"
 ],
 "interval" : 5,
 "retries" : 3,
 "startPeriod" : 10,
 "timeout" : 2
 },
 "memory" : "500",
 "user" : "1337",
 "portMappings": [
      {
        "containerPort": 9901,
        "protocol": "tcp"
      },
      {
        "containerPort": 15000,
        "protocol": "tcp"
      },
      {
        "containerPort": 15001,
        "protocol": "tcp"
      }
    ],
 "ulimits": [
      {
        "softLimit": 15000,
        "hardLimit": 15000,
        "name": "nofile"
      }
    ],
 "requiresCompatibilities" : [ "FARGATE" ],
 "taskRoleArn" : "arn:aws:iam::XXXXXXXXXXXX:role/ecsTaskRole",
 "executionRoleArn" : "arn:aws:iam::XXXXXXXXXXXX:role/ecsTaskExecutionRole",
 "networkMode" : "awsvpc"
 }

标签: amazon-web-servicesenvoyproxyaws-app-mesh

解决方案

您是否为 ECS 任务配置了代理配置以忽略元数据 IP?

它类似于这个

            proxy_configuration=ecs.AppMeshProxyConfiguration(
            container_name='envoy',
            properties=ecs.AppMeshProxyConfigurationProps(
                app_ports=[80],
                proxy_egress_port=15001,
                proxy_ingress_port=15000,
                ignored_uid=1337,
                egress_ignored_i_ps=[
                    '169.254.170.2', '169.254.169.254'
                ]
            )
        )

推荐阅读