search

chef / ohai

Ohai profiles your system and emits JSON
https://docs.chef.io/ohai.html
Apache License 2.0
681 stars 450 forks source link

AWS EC2 ohai plugin replaces - with _ in metadata keys #1673

Open cavdhut opened 3 years ago

cavdhut commented 3 years ago

Description

AWS EC2 ohai plugin replaces - with _ in metadata keys. For example if I have role named my-iam-role ohai plugin changes it to my_iam_role.

I believe below code does this conversion. Is it possible to fix this?

https://github.com/chef/ohai/blob/master/lib/ohai/mixin/ec2_metadata.rb#L229

Ohai Version

Ohai: 13.10.0

Platform Version

CentOS Stream release 8

Ohai Output

Ohai output: 

ohai -d /etc/chef/ohai_plugins/ -l fatal | jq .cloud.iam.role_name
"my_iam_role"

AWS meta-data:

curl http://169.254.169.254/latest/meta-data/iam/security-credentials/;echo
my-iam-role
kcbraunschweig commented 3 years ago

While it'd be great to unwind if this key munging is needed in general and remove it, it seems that's gonna take some historical digging because its been that way for a very long time. A workaround for this specific case might be to take a different approach to role fetching. Instead of trusting the return from fetch_metadata which munges keys and parsing the keys to derive the role name, we remove that. We create a separate fetch_role method in the ec2_metadata mixin which fetches the metadata and walks down it similarly to fetch_metadata but only to get security-credentials and the role, that method can avoid munging the key and return the role name only. The plugin can add in the role name where it currently is in the returned ohai data. Since it ends up as a value not a key, there's no risk of whatever that munging was trying to protect us from. It does mean fetching and walking part of the metadata a second time, so there's a performance penalty of 3 extra http calls.