Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update ec2_metadata to use IMDSV2 #1457

Merged
merged 8 commits into from
Jan 25, 2021
Merged

Update ec2_metadata to use IMDSV2 #1457

merged 8 commits into from
Jan 25, 2021

Conversation

wilkosz
Copy link
Contributor

@wilkosz wilkosz commented Apr 26, 2020
edited
Loading

Agenda

Update all service calls to EC2 metadata to use IMDSV2 spec:
https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/instancedata-data-retrieval.html

EC2 metadata service IMDSV1 introduced quite a few vulnerabilities: https://hackerone.com/reports/508459

Fix

Add v2 token generation for each NET::HTTP::Get request.
Closes issue #1411

Types of changes

  • Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)
  • Breaking change (fix or feature that would cause existing functionality to change)
  • Chore (non-breaking change that does not add functionality or fix an issue)

Checklist:

  • I have read the CONTRIBUTING document.
  • I have run the pre-merge tests locally and they pass.
  • I have updated the documentation accordingly.
  • I have added tests to cover my changes.
  • All new and existing tests passed.
  • All commits have been signed-off for the Developer Certificate of Origin.

@wilkosz wilkosz requested review from a team as code owners April 26, 2020 06:58
@wilkosz wilkosz changed the title update ec2_metadata Update ec2_metadata to use IMDSV2 Apr 26, 2020
kevinrbabcock
kevinrbabcock reviewed Jul 25, 2020
View reviewed changes
Copy link

@kevinrbabcock kevinrbabcock left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you for putting together this change. We are looking forward to using it.

It looks like the EC2_SUPPORTED_VERSIONS at line 43 are out of date. I see four more in addition on a recent instance:

2018-03-28
2018-08-17
2018-09-24
2019-10-01

Similarly I don't believe the local_ipv4s endpoint mentioned at line 46 exists any longer. It may have been changed over the years; AWS has an updated list of metadata endpoints.

lib/ohai/mixin/ec2_metadata.rb
@@ -83,6 +83,10 @@ def http_client
end
end

def v2_token
http_client.put("/latest/api/token/", nil, { 'X-aws-ec2-metadata-token-ttl-seconds': "60" })&.body
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The AWS documentation suggests the PUT request is supposed to go to /latest/api/token with no trailing slash.

The quoting style is inconsistent, with some single quotes and some double quotes. It doesn't really matter for functionality, but is odd to read.

It would be good to have unit tests for this method. What happens when the PUT request fails for some reason, e.g. IMDSv2 isn't running?

@sawanoboly sawanoboly mentioned this pull request Sep 30, 2020
Merged
10 tasks
@jaymzh
Copy link
Collaborator

jaymzh commented Jan 25, 2021

@sawanoboly - wanna rebase?

@tas50 tas50 merged commit a63a306 into chef:master Jan 25, 2021
@tas50
Copy link
Contributor

tas50 commented Jan 26, 2021

#1599 fixed the issue with this failing on non-aws systems that maintain a compatible ec2 metadata endpoint

@tas50 tas50 mentioned this pull request Feb 2, 2021
Merged
10 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@kevinrbabcock kevinrbabcock kevinrbabcock left review comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@wilkosz @jaymzh @tas50 @kevinrbabcock