Skip to content

Add option to disable EC2 metadata (IMDS) calls without token #4866

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 8 commits into from
Feb 1, 2024
Merged

Add option to disable EC2 metadata (IMDS) calls without token #4866

merged 8 commits into from
Feb 1, 2024

Conversation

cenedhryn
Copy link
Contributor

Motivation and Context

Currently, when the SDK calls the EC2 Instance Metadata Service (IMDS) to fetch regional or credential information, it attempts to fetch a token which is then attached to the credentials call, for security. If token fetching fails due to some errors (403, 404, 405) or timeouts, the provider makes an unsecure call without the token header.

It's recommended to avoid fallback to unsecure, IMDS v1 style calls without a token and this PR adds a configuration option to facilitate that.

Modifications

  • Adds setting to disable IMDS v1 fallback through
    • Environment variables (AWS_EC2_METADATA_V1_DISABLED)
    • System property (aws.disableEc2MetadataV1)
    • Config file (ec2_metadata_v1_disabled).
  • Adds a resolver to resolve the disable value to
    • InstanceProfileCredentialsProvider
    • InstanceProfileRegionProvider (specifically, EC2MetadataUtils)
  • Updates creating an InstanceProfileCredentialsProvider in ProfileCredentialsProvider to forward profile information to the InstanceProfileCredentialsProvider

Note that all changes except for the ones to InstanceProfileRegionProvider are reviewed in #4840.

Types of changes

  • Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)

Checklist

  • I have read the CONTRIBUTING document
  • Local run of mvn install succeeds
  • My code follows the code style of this project
  • My change requires a change to the Javadoc documentation
  • I have updated the Javadoc documentation accordingly
  • I have added tests to cover my changes
  • All new and existing tests passed
  • I have added a changelog entry. Adding a new entry must be accomplished by running the scripts/new-change script and following the instructions. Commit the new file created by the script in .changes/next-release with your changes.
  • My change is to implement 1.11 parity feature and I have updated LaunchChangelog

License

  • I confirm that this pull request can be released under the Apache 2 license

@cenedhryn
Add option to disable IMDS v1 fallback when token is not returned (#4840
4023c1a 
)

* Add option to disable IMDS v1 fallback when token is not returned for IMDS credential calls

* updating IMDS fallback message
@cenedhryn
Add support for disable IMDS v1 fallback for regions
d65352d
@cenedhryn cenedhryn requested a review from a team as a code owner January 31, 2024 00:23
@cenedhryn cenedhryn enabled auto-merge (squash) January 31, 2024 00:24
@sonarqubecloud SonarQubeCloud
Copy link

sonarqubecloud bot commented Feb 1, 2024

Quality Gate Passed Quality Gate passed

The SonarCloud Quality Gate passed, but some issues were introduced.

36 New issues
0 Security Hotspots
86.2% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarCloud

@cenedhryn cenedhryn merged commit c7417f0 into master Feb 1, 2024
@cenedhryn cenedhryn deleted the feature/imds-fallback branch February 1, 2024 20:49
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@millems millems millems left review comments

@zoewangg zoewangg zoewangg approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@cenedhryn @millems @zoewangg