Open edlitmus opened 1 year ago
Duplicates #60668
@edlitmus are you willing to submit a PR with test coverage?
I could, if I can get someone to advise on how best to handle it.
Should this be added as a new grain module specific to AWS (metadata_aws)?
Sorry for the two accounts, BTW (work and personal)
It would be ideal if both IMDSv1 and IMDSv2 are able to be supported in the same grain
My understanding of the salt.utils.aws:get_metadata()
method is that it should be able to work with either, as it falls back on IMDSv2 requests only if it encounters a 401 response, so the code in this ticket should already be sufficient for both.
I need to take a deeper dive into the test coverage to see if there are existing tests or if there is a way to actually test this.
I was able to get an EC2 instance with IMDSv2 required set up and running my salt from my fork with the new code and the meta-data grains work just fine. I can't find any unit tests specifically for the metadata grains, but I'm not sure how that would even work without a lot of mocking up of the metadata end points.
I'll submit a PR with my changes after I finish running all the unit tests just to make sure nothing wonky is going on.
Description
The current metadata grain module does not account for IMDSv2 in AWS.
Setup
Running salt on instances in EC2 with metadata grains enabled fails when IMDSv2 is required by the underlying AMI. This results in errors and IMDSv2 requires the use of a token when making metadata requests.
Steps to Reproduce the behavior
Launch an EC2 instances using an AMI that has been produced which enforces the use of IMDSv2. Install salt and try to access metadata grains.
Expected behavior
The metadata grains module should retry requests if IMDSv1 requests return a 403, or there should be an AWS specific metadata module that uses IMDSv2 as this should be universally available in AWS.
Versions Report
This has been tested in 3004.2 as well as 3006.2
Additional context
We replaced the use of the built in metadata grain with this custom module, combining parts of the existing codebase that account for IMDSv2 in our AWS salt systems: