search

HENNGE / aiodynamo

Asynchronous, fast, pythonic DynamoDB Client
https://aiodynamo.readthedocs.io/
Other
69 stars 20 forks source link

InstanceMetadataCredentials does not work with IMDSv2 #157

Closed y26805 closed 9 months ago

y26805 commented 10 months ago

InstanceMetadataCredentials attempts to get metadata about the EC2 instance by a GET request to the AWS endpoint "http://169.254.169.254" https://github.com/HENNGE/aiodynamo/blob/62e6e5a77604d4cc98241678c55e338659c3cd81/src/aiodynamo/credentials.py#L357C7-L388

However, this does not work with the newer way of how AWS does this ("IMDSv2" = Instance Metadata Service Version 2).

from official docs

For IMDSv2, you must use /latest/api/token when retrieving the token.

Issuing PUT requests to any version-specific path, for example /2021-03-23/api/token, will result in the metadata service returning 403 Forbidden errors. This behavior is intended.

If IMDSv2 is required, IMDSv1 does not work.

You can check if IMDSv2 is required for an instance, as follows: Select the instance to view its details, and check the value for IMDSv2. The value is either Required (only IMDSv2 can be used) or Optional (IMDSv2 and IMDSv1 can be used).

If the EC2 instance uses the Amazon Linux 2023 Image, IMDSv2 is required by default.

By default, any instances launched with the AL2023 AMI will require the use of IMDSv2-only

(IMDSv2 can be turned off in a very hidden options menu... for now)

would be great if aiodynamo can also support credentials retrieval via IMDSv2

y26805 commented 9 months ago

looks like we can just switch to the IMDSv2 method, since it's either

Both IMDSv1 and IMDSv2 will be available and enabled by default, and customers can choose which they will use. The IMDS can now be restricted to v2 only, or IMDS (v1 and v2) can also be disabled entirely. AWS recommends adopting v2 and restricting access to v2 only for added security.

(from https://aws.amazon.com/blogs/security/defense-in-depth-open-firewalls-reverse-proxies-ssrf-vulnerabilities-ec2-instance-metadata-service/

ojii commented 9 months ago
  • IMDSv2 only; or
  • support both IMDSv1 and v2

that's for new instances presumably, I'd expect that depending on how/when/... an instance got created/launched, it might only have v1?

y26805 commented 9 months ago
  • IMDSv2 only; or
  • support both IMDSv1 and v2

that's for new instances presumably, I'd expect that depending on how/when/... an instance got created/launched, it might only have v1?

hmm i assumed that applies to all EC2 instances. Will double check.

y26805 commented 9 months ago

i think @ojii is right. if something somehow runs on an older AWS SDK it may not work with IMDSv2.. will modify my PR to try IMDSv1 first, and if that fails, try IMDSv2

ojii commented 9 months ago

i think @ojii is right. if something somehow runs on an older AWS SDK it may not work with IMDSv2.. will modify my PR to try IMDSv1 first, and if that fails, try IMDSv2

shouldn't it be v2 first and v1 second? should this maybe just be two separate resolvers so you can disable one or the other easily?