-
Notifications
You must be signed in to change notification settings - Fork 343
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add support for EC2 IMDSv2 (Instance Metadata Service) #43
Add support for EC2 IMDSv2 (Instance Metadata Service) #43
Conversation
@jillr, do you know who I could reach out to to get this PR reviewed? Would love to be able to help get this change as it has been 8 months since Amazon introduced the newer version of the instance metadata service. |
@roadmapper this PR contains the following merge commits: Please rebase your branch to remove these commits. |
We are having the same issue, would love to get this fix merged and ready |
Is there any way to make this PR progress please ? |
The biggest thing to help get the PR merged would be to add some integration or unit tests. While there's some of the initial framework for an ec2_metadata_facts integration test, I don't see any real tests built out. Because of the way the CI infrastructure is set up unit tests may be simpler to build. However, I'm also concerned that this looks like a backwards incompatible change. While many of the modules are initially designed and tested against AWS, there are a significant number of IaaS services which support things like the metadata interface but aren't AWS so might not support the IMDSv2 interfaces. (For example OpenStack: https://docs.openstack.org/nova/latest/admin/metadata-service.html) While these aren't the primary use case for this collection there are people who use the modules this way and it's generally preferable to avoid breaking things which did work. Personally I'd prefer if this behaviour was either opt-in, or defaulted to falling back to the v1 service. |
It's been a little while since I've tested this change, but from what I recall: if IMDSv2 is not enabled, requesting the token doesn't do anything (accepted by the metadata service and nothing is returned). However, that being said, I'd be happy to change the module to accept a flag to opt-in to requesting a token for the IMDS. The point about having AWS-like environments using this module was not something I was aware of and is a good reason to make the feature opt-in. If the feature is opt-in, should I change to documentation to point out that the use of this module without a flag will mean that if it is used on a IMDSv2 enabled EC2 instance, the module will fail? |
- Add documentation on how IMDSv2 works in EC2
051bd73
to
b25a630
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I've updated the code to use (200, 404) for this case I was worried about, and added a changelog. If the tests pass I think we're good to merge this PR.
I've also tested this PR against OpenStack and it fails over cleanly. |
Tests have all passed. I've also manually tested this against OpenStack (which doesn't support IMDSv2) and it failed over cleanly. Thanks for your submission, and I apologise for how long it took to get this PR merged. |
Thanks for helping to get this merged in! Appreciate the edits @tremble 👏 |
What version of ansible has these changes? |
@ado120 This feature should be available in the 1.5.0 release of this collection. I believe this is available with the Ansible 3.4.0 release: https://groups.google.com/g/ansible-devel/c/1buCqmI253g?pli=1 |
…eds (ansible-collections#43) * Fix policy arg to actually work with JSON strings that is needs. Also update docs. * Fix typo in docs * Fix long line in example * Update type in docs too Co-Authored-By: Mark Chappell <[email protected]> * Remove unecessary documentation for aws_kms policy param Co-Authored-By: Mark Chappell <[email protected]> Co-authored-by: Mark Chappell <[email protected]>
…eds (ansible-collections#43) * Fix policy arg to actually work with JSON strings that is needs. Also update docs. * Fix typo in docs * Fix long line in example * Update type in docs too Co-Authored-By: Mark Chappell <[email protected]> * Remove unecessary documentation for aws_kms policy param Co-Authored-By: Mark Chappell <[email protected]> Co-authored-by: Mark Chappell <[email protected]>
…eds (ansible-collections#43) * Fix policy arg to actually work with JSON strings that is needs. Also update docs. * Fix typo in docs * Fix long line in example * Update type in docs too Co-Authored-By: Mark Chappell <[email protected]> * Remove unecessary documentation for aws_kms policy param Co-Authored-By: Mark Chappell <[email protected]> Co-authored-by: Mark Chappell <[email protected]>
Porting the PR from the main Ansible repo: ansible/ansible#68098
SUMMARY
In November 2019, AWS announced a new version of the instance metadata service (IMDSv2) that supports session authentication. Currently, if the
ec2_metadata_facts
module is used on an EC2 instance that only has IMDSv2 enabled the module will fail. This change adds support for getting the session token for IMDSv2.Fixes ansible/ansible#67981
When the Instance Metadata Service HTTP endpoint is disabled, the module will fail to get facts:
ISSUE TYPE
COMPONENT NAME
ec2_metadata_facts