Error connecting to IMDS + question w.r.t environment variables

[jeapostrophe]

When I run my enclave, I get the following error:

 INFO  enclaver::run > starting egress proxy on vsock port 17002
 INFO  enclaver::vsock > Listening on vsock port 17002
 INFO  enclaver::run   > starting enclave
 INFO  enclaver::run   > started enclave i-0730be3681a830dee-enc1942a3bf218bb98
 INFO  enclaver::run   > starting ingress proxy on port 8000
 INFO  enclaver::run   > waiting for enclave to boot to stream logs
 INFO  enclaver::run   > connected to enclave, starting log stream
 INFO  enclave         >  INFO  enclaver::vsock > Listening on vsock port 17001
 INFO  enclave         >  INFO  odyn::enclave   > Bringing up loopback interface
 INFO  enclave         >  INFO  odyn::enclave   > Seeding /dev/random with entropy from nsm device
 INFO  enclave         >  INFO  odyn            > Enclave initialized
 INFO  enclave         >  INFO  odyn::egress    > Starting egress
 INFO  enclave         >  INFO  odyn::ingress   > Starting TCP ingress on port 8000
 INFO  enclave         >  INFO  enclaver::vsock > Listening on vsock port 8000
 INFO  enclave         >  INFO  odyn::kms_proxy > Starting KMS proxy
 INFO  enclave         >  INFO  odyn::kms_proxy > Generating public/private keypair
 INFO  enclave         >  INFO  odyn::kms_proxy > Fetching credentials from IMDSv2
 INFO  enclave         >  WARN  aws_config::imds::region > failed to load region from IMDS err=failed to load IMDS session token: dispatch failure: io error: error trying to connect: unsuccessful tunnel (HTTP/1.1 401 Una): unsuccessful tunnel (HTTP/1.1 401 Una) (FailedToLoadToken(FailedToLoadToken { source: DispatchFailure(DispatchFailure { source: ConnectorError { kind: Io, source: hyper::Error(Connect, Custom { kind: Other, error: "unsuccessful tunnel (HTTP/1.1 401 Una)" }), connection: Unknown } }) }))
 INFO  enclaver::run   > enclave exited due to fatal error: failed to fetch the region from IMDS
 ERROR enclaver > error running enclave: Docker container wait error

I do NOT get this error when I run the no-fly example. What's going on? I seem to have IMDS enabled.

Also, is it possible to send environment variables into the enclave as it is started?

[jeapostrophe]

The problem was removing 169.254.169.254 from the allowed egress list. That's IMDS. My tiny recommendation is to add a comment to the example that this is needed and mention that in the documentation too.

What's the situation with environment variables? The docs say that enclaver run is

This command is a convenience utility that runs a pre-existing Enclaver image in the local Docker Daemon. It is equivalent to running the image with Docker, and passing:

--device=/dev/nitro_enclaves:/dev/nitro_enclaves:rwm

But that doesn't appear to be exactly the case, because when I run docker run with my normal args (including env variables) and add the --device line, it fails.

[jeapostrophe]

I've gotten deeper into the solution. The problem appears to be awslabs/aws-sdk-rust#169 where the Rust AWS SDK is ignoring the PROXY settings that Enclaver sets up.

[robszumski]

Thanks for investigating, that is unfortunate about the upstream library.