You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The v2 of IMDS adds a token component that gets added into the headers of subsequent requests.
Many organizations are moving towards v2 after various security incidents.
If you try to run a pipeline on an instance with imdbsv2 enforced , the response (CURL_VERBOSE=1) looks roughly like
> GET /latest/meta-data/iam/security-credentials/HTTP/1.1
Host: 169.254.169.254
Accept:*/*
* Mark bundle as not supporting multiuse
* HTTP 1.0, assume close after body
< HTTP/1.0 401 Unauthorized
< Content-Length: 123
< Content-Type: text/html
< Date: ...
< Connection: close
< Server: EC2ws
In the meantime, I believe you should be able to generate the token and manually embed it in a config.json, something like:
After looking at this a little more, I don't think this would be immediately supported with a user provided token like I outlined above.
The actual call for gathering instance credentials is an Http:: call, so the above config would be using http or curl. Not entirely sure which syntax is used
the actual call to the AWS IP doesn't seem to populate any headers, user provided or otherwise. Not sure if this is as easy as just expanding that call out a bit or more logic would have to be added
Currently, the
S3
driver only supports accessing role credentials through querying the instance metadata using V1 methodThe v2 of IMDS adds a token component that gets added into the headers of subsequent requests.
Many organizations are moving towards v2 after various security incidents.
If you try to run a pipeline on an instance with imdbsv2 enforced , the response (
CURL_VERBOSE=1
) looks roughly likeIn the meantime, I believe you should be able to generate the token and manually embed it in a
config.json
, something like:I don't yet have a fully working example of the above logic, but will continue to tinker and update later.
The text was updated successfully, but these errors were encountered: