Bug#954363: cloud-init fails to obtain an IMDS API token on Amazon EC2

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#954363: cloud-init fails to obtain an IMDS API token on Amazon EC2
From: Noah Meyerhans <noahm@debian.org>
Date: Fri, 20 Mar 2020 18:54:07 +0000
Message-id: <[🔎] E1jFNil-00035c-QJ@minas.morgul.net>
Reply-to: Noah Meyerhans <noahm@debian.org>, 954363@bugs.debian.org

Package: cloud-init
Version: 20.1-1
Severity: important

Cloud-init 20.1 attempts to obtain an API token for use with Amazon EC2
instance metadata service (IMDS).  On EC2, this operation should always
succeed, whether using IMDSv1 or v2, and cloud-init will always access
IMDS in v2 mode.  However, this fails on EC2:

2020-03-20 18:25:10,331 - DataSourceEc2.py[DEBUG]: Fetching Ec2 IMDSv2 API Token
2020-03-20 18:25:10,332 - url_helper.py[DEBUG]: [0/1] open 'http://169.254.169.254/latest/api/token' with {'url': 'http://169.254.169.254/latest/api/token', 'allow_redirects': True, 'method': 'PUT', 'timeout': 1.0, 'headers': {'User-Agent': 'Cloud-Init/20.1', 'X-aws-ec2-metadata-token-ttl-seconds': 'REDACTED'}} configuration
2020-03-20 18:25:10,336 - url_helper.py[DEBUG]: Read from http://169.254.169.254/latest/api/token (400, 0b) after 1 attempts
2020-03-20 18:25:10,336 - DataSourceEc2.py[WARNING]: Calling 'http://169.254.169.254/latest/api/token' failed [0/1s]: empty response [400]
2020-03-20 18:25:10,344 - url_helper.py[DEBUG]: Please wait 1 seconds while we wait to try again

With 20.1, cloud-init will fall back to using IMDSv1 in this case, but
this behavior will change in future versions, which will always use v2
mode (it is backwards-compatible with v1), and only use v1 mode for
compatibility with non-AWS services providing IMDS-compatible metadata
endpoints.

-- System Information:
Debian Release: bullseye/sid
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)

Kernel: Linux 5.4.0-4-cloud-amd64 (SMP w/2 CPU cores)
Locale: LANG=C.UTF-8, LC_CTYPE=C.UTF-8 (charmap=UTF-8), LANGUAGE=C.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages cloud-init depends on:
ii  fdisk               2.34-0.1
ii  gdisk               1.0.5-1
ii  ifupdown            0.8.35+b1
ii  locales             2.30-2
ii  lsb-base            11.1.0
ii  lsb-release         11.1.0
ii  net-tools           1.60+git20180626.aebd88e-1
ii  procps              2:3.3.16-4
ii  python3             3.8.2-1
ii  python3-configobj   5.0.6-3
ii  python3-jinja2      2.10.1-2
ii  python3-jsonpatch   1.23-3
ii  python3-jsonschema  3.0.2-4
ii  python3-oauthlib    3.1.0-1
ii  python3-requests    2.22.0-2
ii  python3-six         1.14.0-2
ii  python3-yaml        5.3.1-1
ii  util-linux          2.34-0.1

Versions of packages cloud-init recommends:
ii  cloud-guest-utils  0.31-1
pn  eatmydata          <none>
ii  sudo               1.8.31-1

Versions of packages cloud-init suggests:
pn  btrfs-progs  <none>
ii  e2fsprogs    1.45.5-2
pn  xfsprogs     <none>

-- debconf information:
* cloud-init/datasources:        Ec2

Reply to:

Follow-Ups:
- Processed: Re: Bug#954363: cloud-init fails to obtain an IMDS API token on Amazon EC2
  - From: "Debian Bug Tracking System" <owner@bugs.debian.org>
- Bug#954363: cloud-init fails to obtain an IMDS API token on Amazon EC2
  - From: Noah Meyerhans <noahm@debian.org>
- Bug#954363: marked as done (cloud-init fails to obtain an IMDS API token on Amazon EC2)
  - From: "Debian Bug Tracking System" <owner@bugs.debian.org>

Prev by Date: Processed: Re: Bug#954321: in the Debian AWS-images cloud-init network fails if ipv6 is disabled
Next by Date: Processed: Re: Bug#954363: cloud-init fails to obtain an IMDS API token on Amazon EC2
Previous by thread: Processed: Re: Bug#954321: in the Debian AWS-images cloud-init network fails if ipv6 is disabled
Next by thread: Processed: Re: Bug#954363: cloud-init fails to obtain an IMDS API token on Amazon EC2
Index(es):
- Date
- Thread