IMDSv2 session token support

fred-vogt · Jul 2, 2020 · ef6afb6 · ef6afb6
1 parent 3d6d512
commit ef6afb6
Showing 1 changed file with 14 additions and 1 deletion.
diff --git a/bin/ec2metadata b/bin/ec2metadata
@@ -38,6 +38,12 @@ instdata_host = "169.254.169.254"
 instdata_ver = "2009-04-04"
 instdata_url = "http://%s/%s" % (instdata_host, instdata_ver)
 
+TOKEN_TTL_SECONDS = 21600
+TOKEN_HEADER = "X-aws-ec2-metadata-token"
+TOKEN_HEADER_TTL = "X-aws-ec2-metadata-token-ttl-seconds"
+
+session_token_url = "http://%s/%s/%s" % (instdata_host, 'latest', 'api/token')
+
 __doc__ = """
 Query and display EC2 metadata.
 
@@ -117,6 +123,7 @@ class EC2Metadata:
         if not self._test_connectivity(addr, port):
             raise Error("could not establish connection to: %s:%s" %
                         (addr, port))
+        self._imdsv2_ensure_token()
 
     @staticmethod
     def _test_connectivity(addr, port):
@@ -131,10 +138,16 @@ class EC2Metadata:
 
         return False
 
+    def _imdsv2_ensure_token(self):
+        # Get IMDSv2 session token
+        request = urllib_request.Request(session_token_url, method='PUT', headers={TOKEN_HEADER_TTL: TOKEN_TTL_SECONDS})
+        resp = urllib_request.urlopen(request)
+        self.session_token = resp.read()
+
     def _get(self, uri, decode=True):
         url = "%s/%s" % (self.burl, uri)
         try:
-            resp = urllib_request.urlopen(urllib_request.Request(url))
+            resp = urllib_request.urlopen(urllib_request.Request(url, headers={TOKEN_HEADER: self.session_token}))
             value = resp.read()
             if decode:
                 value = value.decode()