Skip to content

Commit

Permalink
RHEL-9435: Get AWS metadata via IMDSv2
Browse files Browse the repository at this point in the history
* Card ID: RHEL-9435

Even though both versions are officially supported, the AWS teams are
tracking connections making v1 requests as WARNINGs [0].

This patch switches the order to try to use IMDSv2 first.

[0]: /~https://github.com/aws/aws-imds-packet-analyzer

Cherry-picked from 953f2df.
  • Loading branch information
m-horky committed Nov 1, 2023
1 parent 5b8c215 commit 9f070df
Showing 1 changed file with 9 additions and 14 deletions.
23 changes: 9 additions & 14 deletions src/cloud_what/providers/aws.py
Original file line number Diff line number Diff line change
Expand Up @@ -285,25 +285,20 @@ def _get_metadata_from_server_imds_v2(self) -> Union[str, None]:

def _get_metadata_from_server(self) -> Union[str, None]:
"""
Try to get metadata from server as is described in this document:
Try to get metadata from server as described in these documents:
- https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/configuring-instance-metadata-service.html
- https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/instance-metadata-v2-how-it-works.html
https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/configuring-instance-metadata-service.html
IMDSv2 requires two HTTP requests (first requests a token, second obtains the metadata).
If that fails, try to fall back to IDMSv1 (which is older and can be disabled in the AWS console).
It is possible to use two versions. We will try to use version IMDSv1 first (this version requires
only one HTTP request), when the usage of IMDSv1 is forbidden, then we will try to use IMDSv2 version.
The version requires two requests (get session TOKEN and then get own metadata using token)
:return: String with metadata or None
"""
metadata = self._get_metadata_from_server_imds_v2()
if metadata is not None:
return metadata

if self._token_exists() is False:
# First try to get metadata using IMDSv1
metadata = self._get_metadata_from_server_imds_v1()

if metadata is not None:
return metadata

# When it wasn't possible to get metadata using IMDSv1, then try to get metadata using IMDSv2
return self._get_metadata_from_server_imds_v2()
return self._get_metadata_from_server_imds_v1()

def _get_signature_from_cache_file(self) -> None:
"""
Expand Down

0 comments on commit 9f070df

Please sign in to comment.