Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Make AWS S3 expiryWindow configurable to avoid S3 400 Bad Request #4175

Open
shuaichang opened this issue Dec 1, 2023 · 7 comments
Open

Make AWS S3 expiryWindow configurable to avoid S3 400 Bad Request #4175

shuaichang opened this issue Dec 1, 2023 · 7 comments

Comments

@shuaichang
Copy link

shuaichang commented Dec 1, 2023
edited

We got 400 Bad request returned by S3 complaining token expired when accessing S3 with the presigned URL due to S3 token expired due to ec2RoleProvider default expiryWindow to be 5minute.

So the secret token used to presign URL will not be refreshed until 5 minutes prior to expiration. In the worst case the client pull layers have only 5 minutes to complete, this could be a problem for larger layers or slower network.

image

https://github.com/aws/aws-sdk-go/blob/1371ed99dade3fe52505d9bdcc945f7adecf9810/aws/defaults/defaults.go#L250

Is it possible to consider taking an option for AWS to configure the expiryWindow?
image

If the idea sounds reasonable, we are happy to make a PR for this
@milosgajdos
Copy link
Member

Can you please confirm what version of registry are you running?

@shuaichang
Copy link
Author

Thanks for the quick reply, the version is https://github.com/distribution/distribution/tree/v2.7.1

@milosgajdos
Copy link
Member

Thanks for the quick reply, the version is https://github.com/distribution/distribution/tree/v2.7.1

Ooof, that's what I suspected. That's an ancient registry release. There have been a few news ones over the past year or two but I would not expect those to fix many issues.

I'd encourage you to take https://hub.docker.com/r/distribution/distribution for a spin. Specifically, the edge tag which gets updated regularly.

We're actively working on a new release that should be due this year.

@shuaichang
Copy link
Author

Thanks for the pointer! Looking at the distribution master code, though, it seems the problem still exists unless we have a way to pass in ExpiryWindow for AWS S3 storage driver, is my understanding correct or there some fixes could resolve this token expiration issue?

@milosgajdos
Copy link
Member

Thanks for the pointer! Looking at the distribution master code, though, it seems the problem still exists unless we have a way to pass in ExpiryWindow for AWS S3 storage driver, is my understanding correct or there some fixes that could resolve this token expiration issue?

Quite likely. I've never experienced it and would have to double check, but I thought it was worth pointing out that the version you are running is old and likely has a big pile of security issues (among a bunch of bugs that have been fixed in higher versions)

Do you have an example how I could repro this? Is it just the case of a large layer being pulled?

@vl-kp
Copy link

vl-kp commented Feb 29, 2024

i think it is same for 3.0.0-alpha.1

@milosgajdos
Copy link
Member

It seems we are hardcoding the expiry on the presigned URL to 20 minutes:

distribution/registry/storage/driver/s3-aws/s3.go

Line 1046 in 38beeee

expiresIn := 20 * time.Minute

We can make this configurable, indeed. It'd be useful on slow networks when pulling large layers as you suggested. Would you be willing to open a PR @shuaichang

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@milosgajdos @shuaichang @vl-kp