-
-
Notifications
You must be signed in to change notification settings - Fork 351
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
3.6.4 does not fetch iam credentials using IMDSv2 when running from inside containers with IMDSv2 Defaults #560
Comments
I just found the reason. Our instances still use IMDSv1. They have not yet been configured with IMDSV2. So, anybody who uses the latest GEM without configuring for IMDSv2 would fail. This is a high severity bug, IMO. Gem should check if the instance is configured for IMDSv1 or IMDSv2 and use the appropriate one as IMDSv2 disables IMDSv1. |
Thanks for the heads up, I had been under the impression that this change was backwards compatible and unfortunately that does not sound like it is the case. Is there an easy way to check for versions to configure this on the server side? I don't have recent direct experience with this, so I've been going off the docs and what others have reported. @atyndall helped add v2 stuff. @atyndall Do you have thoughts on how best to fix this? |
This is curious, my understanding of the docs (and my own testing) has indicated that AWS has simply turned on IMDSv2 for all existing instances. As there are no instructions on how to "enable IMDSv2", just how to disable IMDSv1, and it says "By default, you can use either IMDSv1 or IMDSv2, or both." - https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/configuring-instance-metadata-service.html When I switched my instances over to IMDSv2, I did not have to enable anything. The only proactive step was when I was satisfied I had switched over, was to disable IMDSv1. @v-kumar can you provide more details on your setup? Is it possible you are mocking the IMDS service and not directly communicating with the official AWS version? Are you using a really long-lived EC2 instance or something like that? @geemus As for how to fix, it should be as simple as not including the token in the request if the request to retrieve it fails. I can prepare a PR on Monday to get this resolved if you would like? |
@atyndall thanks for the quick response. My reading of things matches your suggestion, so I was a bit surprised as well. If we haven't heard more and this still seems to be an issue, doing a fix along those lines early next week sounds reasonable to me. Thanks! |
My instance were not switched to IMDSv2 automatically. Their documentation does not indicate that as well. Per their documentation existing instances must be configured to use IMDSv2. See **Step 3 ** under Transitioning to Version 2 They say
Also. please note that AWS sometimes does these defaults based on Unix flavor - IMDSv2 could be default for AWS Linux/Linux 2, but not for Ubuntu. |
@v-kumar Your quoted paragraph refers to the fact that you can configure AWS to require IMDSv2 (e.g. disable IMDSv1), which is what I have tested and verified that command does. The docs are quite clear that by default both versions are always available to be used. My testing was also performed on Ubuntu 18.04 and 20.04 as that's the system base I run. There is also no indication in the docs that the metadata API endpoint would change based on AMI choice, which makes sense as my understanding is that it's a hypervisor feature. Are you running an EBS or Instance Store based AMI? Can you provide more information on your specific setup? Can you provide the full output of running Thanks |
Actually, my bad, though not so simple. This This works only within the instance |
Bit more. I found that botocore users ran into the same issue. I do believe that, just like botocore did, the right thing to do is revert the change as the side effects are esoteric and hard to debug. |
I am renaming the title of the issue... |
I was able to verify that the latest release works from within containers after I set the hop limit.
|
Thanks for the further info, I’ll prepare a PR on Monday (Australian Time) to fallback to V1 using a similar algorithm to Moving forward, as you’ve discovered, setting the hop limit higher than the default |
Thank you @atyndall |
Thanks to you both for discussing and working through this. Glad to hear we were able to pin it down and have a plan for fixing it next week. |
3.6.3 works fine with instance credentials, however 3.6.4 does not.
The text was updated successfully, but these errors were encountered: