I'm writing a flask API in pycharm. When I run my code locally, requests using boto3 to get secrets from secrets manager take less than a second. However, when I put my code on an EC2, it takes about 3 minutes (tried in both t2.micro and m5.large). At first I thought it could be a Python issue, so I ran it in my EC2s through the awscli using: <pre class="prettyprint"><code>aws secretsmanager get-secret-value --secret-id secretname </code></pre> It sill took about 3 minutes. Why does this happen? Shouldn't this in theory be faster in an EC2 than in my local machine? EDIT: This only happens when the EC2 is inside a VPC different than the default VPC.

After fighting with this same issue on our local machines for almost two months, we finally had some forward progress today. It turns out the problem is related to IPv6. If you're using IPv6, then the secrets manager domain will resolve to an IPv6 address. For some reason the cli is unable to make a secure connection using IPv6. After it times out, the cli falls back to IPv4 and then it succeeds. To verify if you're resolving to an IPv6 address, just ping secretsmanager.us-east-1.amazonaws.com. Don't worry about the ping response, you just want to see the IP address the domain resolves to. To fix this problem, you now have 3 options: <ol> <li>Figure out your networking issues. This could be something on your machine or router. If in an AWS VPC, check your routing tables and security groups. Make sure you allow outbound IPv6 traffic (::/0).</li> <li>Reduce the cli connect timeout to make the IPv6 call fail faster. This will make the IPv4 fallback happen sooner. You may want give a better timeout value, but the general idea is to add something like this: <code>--cli-connect-timeout 1</code> </li> <li>Disable IPv6. You can either disable IPv6 on your machine/router altogether, or you can adjust your machine to prefer IPv4 for this specific address (See: https://superuser.com/questions/436574/ipv4-vs-ipv6-priority-in-windows-7).</li> </ol> Ultimately, option 1 is the real solution, but since it is so broad, the others might be easier. Hopefully this helps someone else maintain a bit of sanity when they hit this.

Secrets manager extremely slow in EC2s via awscli and boto3

Tags:

amazon-web-services

aws-cli

amazon-ec2

boto3

aws-secrets-manager

I'm writing a flask API in pycharm. When I run my code locally, requests using boto3 to get secrets from secrets manager take less than a second. However, when I put my code on an EC2, it takes about 3 minutes (tried in both t2.micro and m5.large).

At first I thought it could be a Python issue, so I ran it in my EC2s through the awscli using:

aws secretsmanager get-secret-value --secret-id secretname

It sill took about 3 minutes. Why does this happen? Shouldn't this in theory be faster in an EC2 than in my local machine?

EDIT: This only happens when the EC2 is inside a VPC different than the default VPC.

778

asked May 06 '18 19:05

rodrigocf

1 Answers

After fighting with this same issue on our local machines for almost two months, we finally had some forward progress today.

It turns out the problem is related to IPv6.

If you're using IPv6, then the secrets manager domain will resolve to an IPv6 address. For some reason the cli is unable to make a secure connection using IPv6. After it times out, the cli falls back to IPv4 and then it succeeds.

To verify if you're resolving to an IPv6 address, just ping secretsmanager.us-east-1.amazonaws.com. Don't worry about the ping response, you just want to see the IP address the domain resolves to.

To fix this problem, you now have 3 options:

Figure out your networking issues. This could be something on your machine or router. If in an AWS VPC, check your routing tables and security groups. Make sure you allow outbound IPv6 traffic (::/0).
Reduce the cli connect timeout to make the IPv6 call fail faster. This will make the IPv4 fallback happen sooner. You may want give a better timeout value, but the general idea is to add something like this: --cli-connect-timeout 1
Disable IPv6. You can either disable IPv6 on your machine/router altogether, or you can adjust your machine to prefer IPv4 for this specific address (See: https://superuser.com/questions/436574/ipv4-vs-ipv6-priority-in-windows-7).

Ultimately, option 1 is the real solution, but since it is so broad, the others might be easier.

Hopefully this helps someone else maintain a bit of sanity when they hit this.

135

answered Nov 07 '22 11:11

LTAcosta

Related questions
                            
                                How to Get Signed S3 Url in AWS-SDK JS Version 3?
                            
                                AWS EC2 'You are not authorized to perform this operation. Encoded authorization failure message:'
                            
                                RequireHttps causes redirect loop on Amazon Elastic Load Balancer
                            
                                ELB and Apache configuration for HTTPS website
                            
                                AWS Cloudwatch - Autoscaling groups are not showing up when I try to create an alarm for SQS
                            
                                Spring web application healthchecks
                            
                                Amazon AWS - Fatal: could not read Username for 'https://github.com': No such device or address
                            
                                Cloudfront traffic cheaper than S3? [closed]
                            
                                AWS Elastic Beanstalk update environment error
                            
                                Security group for AWS NTP Server
                            
                                AWS-Load Balancer. Does it incur cost when no EC2 is linked to them?
                            
                                Change cognito user pool user status
                            
                                Unable to Connect to Jenkins Server (Amazon Linux AMI)
                            
                                Changing MAIL FROM Domain in Amazon AWS SES
                            
                                Cannot create a FIFO SQS through CLI
                            
                                Reading terraform variable from file
                            
                                how to get results from Athena for the past week?
                            
                                Pass cookie to CloudFront origin but prevent from caching
                            
                                How do you download a file from AWS S3 to a client's device?
                            
                                SCP command fails to copy "Host key verification failed."

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!

Donate Us With