Update external/ec2 to support IMDSv2

ClusterLabs / cluster-glue

Reusable Cluster Components ("glue")

http://clusterlabs.org/

GNU General Public License v2.0

18 stars 28 forks source link

Update external/ec2 to support IMDSv2 #34

Closed thimslugga closed 2 years ago

thimslugga commented 2 years ago

Retrieve session token to support IMDSv2

https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/configuring-instance-metadata-service.html

dmuhamedagic commented 2 years ago

What happens if the instance isn't configured for IMDSv2? And, in any case, shouldn't we fail back to the non-IMDS method if there was an error retrieving a token? Not an expert on aws...

gguifelixamz commented 2 years ago

Hello @dmuhamedagic

Nothing will happen if the instance is not configured to use IMDSv2 and it no error will be thrown. This is documented in AWS' public docs:

https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/configuring-instance-metadata-service.html

From an AWS perspective LGTM and it can be merged.

Please, let me know if you have any further questions.

thimslugga commented 2 years ago

Hi @dmuhamedagic

As @gguifelixamz already mentioned, there wont be any issue if the host doesn't require the session token (optional). This is already supported by the fence_aws agent that is used in pcs deployments.

https://github.com/ClusterLabs/fence-agents/blob/master/agents/aws/fence_aws.py

dmuhamedagic commented 2 years ago

OK. Many thanks for the contribution!