Closed laluka closed 1 year ago
clundin25
commented
1 year ago Cursory look:
The code in google-auth-library-python/google/auth/compute_engine/_metadata.py is for supporting Google Compute Engine.
The code in google-auth-library-python/google/auth/aws.py is for AWS metadata servers.
IMDSv2 is an implementation detail for the AWS metadata server. With this information, does your question remain? Disclaimer: I did not refresh myself on the code, and I may be mistaken.
laluka
commented
1 year ago Hmmmm, that totally makes sense, but then I wonder what's happening on our side, might be a default behavior or misconfig, I'll keep you posted! Thank you for the fast answer! 🫶
laluka
commented
1 year ago Solved, it definitely was a a misunderstanding + misconfig on our side, thanks so much!
zchenyu
commented
1 year ago I ran into this as well. I posted my solution here: https://github.com/googleapis/google-auth-library-python/issues/1364#issuecomment-1714715462
Is your feature request related to a problem? Please describe.
AWS IMDSv2 (metadata url - 169.254.169.254) seems to be supported in
google/auth/aws.pybut some files likegoogle/auth/compute_engine/_metadata.pystill rely on IMDSv1, blocking aws cloud hardening.V1 Legacy code: https://github.com/googleapis/google-auth-library-python/blob/9c87ad07c6618bc5b1be3b254fdf5211e7778061/google/auth/compute_engine/_metadata.py#L49-L54 https://github.com/googleapis/google-auth-library-python/blob/9c87ad07c6618bc5b1be3b254fdf5211e7778061/google/auth/compute_engine/_metadata.py#L153-L241
V2 Supported code: https://github.com/googleapis/google-auth-library-python/blob/9c87ad07c6618bc5b1be3b254fdf5211e7778061/google/auth/aws.py#L418-L470
Describe the solution you'd like
A full support of IMDSv2 as default metadata fetching service, follwing: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/instance-metadata-v2-how-it-works.html