'R53UseIAMRole=true' not working with IMDSv2 Tokens set to 'Required' #509
Comments
|
Hey @Alan111S, thanks for reaching out. I had no idea IMDSv2 was even a thing but apparently it's been live since late 2019. The initial docs I'm reading make it seem like a fairly painless change to use v2 by default. And if I'm reading things correctly, there should be no cases where only v1 works. So I'll probably just upgrade the code to always use v2. Until I can get a new release out with the fix, you should also be able to work around the problem by having a 2020 or later version of the AWS.Tools.Route53 module and its dependencies installed along with Posh-ACME. If the plugin finds the official module, it will use that instead of its own raw REST implementation. |
|
Hi @rmbolger, thanks for your quick update. I've installed:-
I had to add I've performed another 'New-PACertificate' with the Instance using IMDSv2 Tokens set to 'Required' and it's working fine using the AWS.Tools.Route53 module. Do you want me to close this issue or leave open until an update is published ? |
|
You can leave it open. I'll use it to track the code update. Thanks for verifying the workaround too! |
|
I just committed a change that should update the plugin to use IMDSv2. Could you try testing it after uninstalling the AWS.Tools.Route53 module? You can either download the raw plugin file and overwrite your local copy or follow the instructions in the readme to install the dev build. Either way, make sure you're either running in a fresh PowerShell instance or forcefully re-import the module by running You shouldn't need to go through a whole new cert request process. You can test just the plugin by publishing and unpublishing a fake token value to one of your DNS zones like this: $pArgs = @{R53UseIAMRole=$true}
Publish-Challenge example.com (Get-PAAccount) faketoken Route53 $pArgs -Verbose
Unpublish-Challenge example.com (Get-PAAccount) faketoken Route53 $pArgs -Verbose |
|
The Dev version of the plugin tested fine. I followed the instructions to install the dev build and ran |
|
This is now live in 4.19.0. |
Having setup Posh-ACME to work on an EC2 Instance with an IAM Role, I was surprised to find I was getting a Credential Error when I next ran the New-PACertificate command
As mentioned in the documentation here:-
https://poshac.me/docs/v4/Plugins/Route53/#iam-role
"When using an IAM Role, the only thing you need to specify is a switch called R53UseIAMRole."
However I found I was getting:-
Submit-ChallengeValidation : No credentials specified or obtained from persisted/shell defaultsThe EC2 Instance had recently been set to IMDSv2 Tokens 'Required' instead of 'Optional'.
Switch back to 'Optional' allowed me to use the IAM Role again.
Please can the code for using an IAM role be upgraded to work with IMDSv2 ?
The text was updated successfully, but these errors were encountered: