Resolving Inaccessibility to the Metadata Endpoint in PHP Apps on AWS ECS

The Issue of Inaccessibility to the Metadata Endpoint when Using AWS SDK from PHP Apps on ECS

When running PHP applications on ECS and utilizing the AWS SDK, an issue can arise where accessing the metadata endpoint becomes impossible. This memo will provide a rundown of the problem and its resolution.

Key Points Summarized

• The metadata endpoint accessed by AWS SDKs is divided into EC2-specific and ECS-specific endpoints.
• If the environment variable aws_container_credentials_relative_uri is not visible to the AWS SDK, it defaults to connecting to the EC2 metadata endpoint.
• By default, PHP-FPM does not inherit server environment variables, leading to the inability to access aws_container_credentials_relative_uri.

Background

In an effort to enhance AWS security, there was an aim to transition from using access tokens (aws_access_key_id and aws_secret_access_key) to employing task roles (equivalent to instance profiles in EC2) for permission management. However, attempting to make this shift resulted in PHP applications failing to access the metadata endpoint.

Error Encountered

When this issue occurred, the AWS SDK threw the following error message:

“Error retrieving credentials from the instance profile metadata service. (Curl error 7: [Curl error message] for https://example.com/latest/meta-data/iam/security-credentials/)”

Investigation Notes

• IAM roles in Fargate: Task Execution Role (assigned to those launching containers) and Task Role (assigned to the containers themselves).
• How AWS SDK utilizes Task Role: It requires access tokens (aws_access_key_id and aws_secret_access_key) to interact with AWS APIs. If not directly configured in environment variables, it internally queries the metadata service to obtain temporary access tokens.
• Implementation of token resolution: The AWS SDK attempts to resolve the access tokens by checking if aws_container_credentials_relative_uri or aws_container_credentials_full_uri environment variables are set. If so, it queries the ECS-specific metadata endpoint.

Resolution

Two solutions were identified to resolve the issue:

1. Modify the PHP-FPM configuration: By changing the clear_env setting in the PHP-FPM configuration (www.conf) from true to false, server environment variables are inherited, allowing the AWS SDK (PHP application) to access aws_container_credentials_relative_uri.
www.conf:

;clear_env = noclear_env = no

2. Explicitly export the env parameter: Alternatively, even with clear_env set to true, you can explicitly export specific environment variables by adding them to the configuration.
www.conf:

env[aws_container_credentials_relative_uri] = $aws_container_credentials_relative_uri

By implementing these adjustments, you can ensure that the PHP application can access the required ECS-specific metadata endpoint, resolving the connectivity issue.