Why doesn't ec2-instance-connect work on AWS-Parallel-Cluster

Question

I know Parallel Cluster3 doesn't officially support ec2-instance-connect and SSM but I'm trying to figure out why.
It seems to be failing in `/usr/share/ec2-instance-connect/eic_curl_authorized_keys`
more accurately, it fails when it tries to fetch instance metadata.
In that script calling `/usr/bin/curl 169.254.169.254/latest/meta-data/` returns nothing
When logged in the instance using pcluster ssh, it returns the expected data.

How does this happen?

Thanks.

Answer

Finally figured it out. There are iptables rules on parallel-cluster
```
$ sudo iptables -S
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-N PARALLELCLUSTER_IMDS
-A OUTPUT -d 169.254.169.254/32 -j PARALLELCLUSTER_IMDS
-A OUTPUT -d 169.254.169.254/32 -m owner --uid-owner 129 -j ACCEPT
-A PARALLELCLUSTER_IMDS -d 169.254.169.254/32 -m owner --uid-owner 0 -j ACCEPT
-A PARALLELCLUSTER_IMDS -d 169.254.169.254/32 -m owner --uid-owner 400 -j ACCEPT
-A PARALLELCLUSTER_IMDS -d 169.254.169.254/32 -m owner --uid-owner 1000 -j ACCEPT
-A PARALLELCLUSTER_IMDS -d 169.254.169.254/32 -j REJECT --reject-with icmp-port-unreachable
```

This blocks the ec2-instance-connect user from accessing the meta-data

Why doesn't ec2-instance-connect work on AWS-Parallel-Cluster

相关内容