Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[BUG REPORT]: Always Use ENDPOINT_URL_SQS in boto3.resource() Constructor if Provided #141

Closed
brettpalmberg opened this issue Oct 27, 2021 · 0 comments
Closed

[BUG REPORT]: Always Use ENDPOINT_URL_SQS in boto3.resource() Constructor if Provided #141

brettpalmberg opened this issue Oct 27, 2021 · 0 comments
Assignees
@brettpalmberg
Labels
bug Something isn't working

Comments

@brettpalmberg
Copy link
Contributor

brettpalmberg commented Oct 27, 2021
edited
Loading

Describe the bug

If endpoint_url is not passed in the boto3.resource() constructor for an SQS connection, boto3 uses the legacy service endpoint queue.amazonaws.com by default, rather than the new region-specific (e.g. sqs.us-east-1.amazonaws.com) url. If deployed to AWS, this behavior works ok if the container is deployed in a public subnet but is problematic if the container is deployed into a private subnet with SQS access provided via VPC endpoint.

Details: Boto3 is still using the legacy AWS Service Endpoints (i.e. queue.amazonaws.com ) rather than sqs.us-east-1.amazonaws.com in order to support Python 2. (Endpoints reference: https://docs.aws.amazon.com/general/latest/gr/sqs-service.html). See github issue here: boto/boto3#1900.

Suggested Fix: Always use ENDPOINT_URL_SQS in the boto3.resource() constructor if provided via environment variables.

Near here, if we replace

if CONFIG.AWS_ACCESS_KEY_ID is None:
    # Running in AWS
    # Using IAM Role for Credentials
    CLIENT = boto3.resource('sqs')
else:
    # Local Testing
    # ElasticMQ with Credentials via AWS_ environment variables
    CLIENT = boto3.resource(
        'sqs',
        endpoint_url=CONFIG.ENDPOINT_URL_SQS,
        region_name=CONFIG.AWS_REGION_SQS,
        aws_secret_access_key=CONFIG.AWS_SECRET_ACCESS_KEY_SQS,
        aws_access_key_id=CONFIG.AWS_ACCESS_KEY_ID_SQS,
        use_ssl=CONFIG.USE_SSL
    )

with

if CONFIG.AWS_ACCESS_KEY_ID == "x":
    # Running in AWS
    # Using IAM Role for Credentials
    if CONFIG.ENDPOINT_URL_SQS:
        CLIENT = boto3.resource(
            "sqs",
            endpoint_url=CONFIG.ENDPOINT_URL_SQS,
        )
    else:
        CLIENT = boto3.resource("sqs")
else:
    # Local Testing
    # ElasticMQ with Credentials via AWS_ environment variables
    CLIENT = boto3.resource(
        "sqs",
        endpoint_url=CONFIG.ENDPOINT_URL_SQS,
        region_name=CONFIG.AWS_REGION_SQS,
        aws_secret_access_key=CONFIG.AWS_SECRET_ACCESS_KEY_SQS,
        aws_access_key_id=CONFIG.AWS_ACCESS_KEY_ID_SQS,
        use_ssl=CONFIG.USE_SSL,
    )

and provide the appropriate Env Variable ENDPOINT_URL_SQS, everything should work.

(The same change was recently required on water-api here )

I'll go ahead and make the change via PR. cc @adamscarberry @jeffsuperglide
@brettpalmberg brettpalmberg added the bug Something isn't working label Oct 27, 2021
@brettpalmberg brettpalmberg self-assigned this Oct 27, 2021
brettpalmberg added a commit to USACE/cumulus-api that referenced this issue Oct 27, 2021
@brettpalmberg
fixes USACE/cumulus#141
0924a0a
@brettpalmberg brettpalmberg mentioned this issue Oct 27, 2021
Merged
brettpalmberg added a commit to USACE/cumulus-api that referenced this issue Oct 28, 2021
@brettpalmberg
Merge pull request #164 from USACE/bugfix/endpoint-url-sqs
9ff5b16 
fixes USACE/cumulus#141
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@brettpalmberg brettpalmberg

Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@brettpalmberg