Closed y26805 closed 9 months ago
looks like we can just switch to the IMDSv2 method, since it's either
Both IMDSv1 and IMDSv2 will be available and enabled by default, and customers can choose which they will use. The IMDS can now be restricted to v2 only, or IMDS (v1 and v2) can also be disabled entirely. AWS recommends adopting v2 and restricting access to v2 only for added security.
- IMDSv2 only; or
- support both IMDSv1 and v2
that's for new instances presumably, I'd expect that depending on how/when/... an instance got created/launched, it might only have v1?
- IMDSv2 only; or
- support both IMDSv1 and v2
that's for new instances presumably, I'd expect that depending on how/when/... an instance got created/launched, it might only have v1?
hmm i assumed that applies to all EC2 instances. Will double check.
i think @ojii is right. if something somehow runs on an older AWS SDK it may not work with IMDSv2.. will modify my PR to try IMDSv1 first, and if that fails, try IMDSv2
i think @ojii is right. if something somehow runs on an older AWS SDK it may not work with IMDSv2.. will modify my PR to try IMDSv1 first, and if that fails, try IMDSv2
shouldn't it be v2 first and v1 second? should this maybe just be two separate resolvers so you can disable one or the other easily?
InstanceMetadataCredentials attempts to get metadata about the EC2 instance by a GET request to the AWS endpoint
"http://169.254.169.254"
https://github.com/HENNGE/aiodynamo/blob/62e6e5a77604d4cc98241678c55e338659c3cd81/src/aiodynamo/credentials.py#L357C7-L388However, this does not work with the newer way of how AWS does this ("IMDSv2" = Instance Metadata Service Version 2).
from official docs
If the EC2 instance uses the Amazon Linux 2023 Image, IMDSv2 is required by default.
(IMDSv2 can be turned off in a very hidden options menu... for now)
would be great if aiodynamo can also support credentials retrieval via IMDSv2