We have a simple signing service that will do a one-time sign on an S3 item and return a 302 directing the client to the signed URL. It works pretty well for general items, but we don't use it in ignition configs.
We have various acute issues with S3 including DNS problems or temporarily service failures. Is the retry behavior of ignition fetches documented anywhere? I would be very concerned if a simple 5XX response from an S3 endpoint could prevent an instance from booting without warning. On Tue, May 30, 2017 at 9:40 AM Alex Crawford <[email protected]> wrote: > On 05/29, Cemo Koc wrote: > > I am trying to bypass limit of aws userdata and s3 is only viable > solution > > right now. There are some issues to support IAM and s3 bucket natively > so I > > need to find a way as I did in cloud init. > > As you noticed [1], we are working on getting S3 URLs working natively > in Ignition. In the meantime, we recommend using a pre-signed S3 URL. > This will allow you to access the object but prevent others (I believe > S3 imposes a maximum of seven days for the pre-signed URL). > > -Alex > > [1]: https://github.com/coreos/bugs/issues/1631#issuecomment-304665186 >
