-
Notifications
You must be signed in to change notification settings - Fork 453
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Update ec2_metadata to use IMDSV2 #1457
Conversation
…ouble spec client
Signed-off-by: wilkosz <joshua@wilkosz.com.au>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thank you for putting together this change. We are looking forward to using it.
It looks like the EC2_SUPPORTED_VERSIONS
at line 43 are out of date. I see four more in addition on a recent instance:
2018-03-28
2018-08-17
2018-09-24
2019-10-01
Similarly I don't believe the local_ipv4s
endpoint mentioned at line 46 exists any longer. It may have been changed over the years; AWS has an updated list of metadata endpoints.
@@ -83,6 +83,10 @@ def http_client | |||
end | |||
end | |||
|
|||
def v2_token | |||
http_client.put("/latest/api/token/", nil, { 'X-aws-ec2-metadata-token-ttl-seconds': "60" })&.body |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The AWS documentation suggests the PUT request is supposed to go to /latest/api/token
with no trailing slash.
The quoting style is inconsistent, with some single quotes and some double quotes. It doesn't really matter for functionality, but is odd to read.
It would be good to have unit tests for this method. What happens when the PUT request fails for some reason, e.g. IMDSv2 isn't running?
@sawanoboly - wanna rebase? |
#1599 fixed the issue with this failing on non-aws systems that maintain a compatible ec2 metadata endpoint |
Agenda
Update all service calls to EC2 metadata to use IMDSV2 spec:
https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/instancedata-data-retrieval.html
EC2 metadata service IMDSV1 introduced quite a few vulnerabilities: https://hackerone.com/reports/508459
Fix
Add v2 token generation for each
NET::HTTP::Get
request.Closes issue #1411
Types of changes
Checklist: