Bug#954363: cloud-init fails to obtain an IMDS API token on Amazon EC2

To: 954363@bugs.debian.org
Subject: Bug#954363: cloud-init fails to obtain an IMDS API token on Amazon EC2
From: Noah Meyerhans <noahm@debian.org>
Date: Fri, 20 Mar 2020 17:58:48 -0400
Message-id: <[🔎] 20200320215848.GA5346@morgul.net>
Reply-to: Noah Meyerhans <noahm@debian.org>, 954363@bugs.debian.org
In-reply-to: <[🔎] E1jFNil-00035c-QJ@minas.morgul.net>
References: <[🔎] E1jFNil-00035c-QJ@minas.morgul.net> <[🔎] E1jFNil-00035c-QJ@minas.morgul.net>

Control: tags -1 + upstream

> 2020-03-20 18:25:10,332 - url_helper.py[DEBUG]: [0/1] open 'http://169.254.169.254/latest/api/token' with {'url': 'http://169.254.169.254/latest/api/token', 'allow_redirects': True, 'method': 'PUT', 'timeout': 1.0, 'headers': {'User-Agent': 'Cloud-Init/20.1', 'X-aws-ec2-metadata-token-ttl-seconds': 'REDACTED'}} configuration

It seems that the "redaction" of the
X-aws-ec2-metadata-token-ttl-seconds header value happens before the
actual request is made, so where the IMDS server expects a TTL in
seconds, cloud-init actually passes it the literal string "REDACTED".
Unsurprisingly, this fails.

I've verified this by avoiding the redacting, via the attached patch.
This isn't an ideal solution, as it avoids all redacting.  The intent of
cloud-init's behavior is to avoid storing IMDS API tokens in the logs,
which is sensible, and is broken by my change.

noah

diff --git a/debian/patches/no-redact-imds-headers.patch b/debian/patches/no-redact-imds-headers.patch
new file mode 100644
index 00000000..26195c02
--- /dev/null
+++ b/debian/patches/no-redact-imds-headers.patch
@@ -0,0 +1,25 @@
 Index: cloud-init/cloudinit/sources/DataSourceEc2.py                                                                                     
 ===================================================================                                                                      
 --- cloud-init.orig/cloudinit/sources/DataSourceEc2.py                                                                                   
 +++ cloud-init/cloudinit/sources/DataSourceEc2.py                                                                                        
 @@ -32,7 +32,7 @@ API_TOKEN_ROUTE = 'latest/api/token'                                                                                   
  AWS_TOKEN_TTL_SECONDS = '21600'                                                                                                         
  AWS_TOKEN_PUT_HEADER = 'X-aws-ec2-metadata-token'                                                                                       
  AWS_TOKEN_REQ_HEADER = AWS_TOKEN_PUT_HEADER + '-ttl-seconds'                                                                            
 -AWS_TOKEN_REDACT = [AWS_TOKEN_PUT_HEADER, AWS_TOKEN_REQ_HEADER]                                                                         
 +AWS_TOKEN_REDACT = []                                                                                                                   
                                                                                                                                          
                                                                                                                                          
  class CloudNames(object):                                                                                                               
 Index: cloud-init/tests/unittests/test_datasource/test_ec2.py                                                                            
 ===================================================================                                                                      
 --- cloud-init.orig/tests/unittests/test_datasource/test_ec2.py                                                                          
 +++ cloud-init/tests/unittests/test_datasource/test_ec2.py                                                                               
 @@ -479,6 +479,7 @@ class TestEc2(test_helpers.HttprettyTest                                                                             
                                                                                                                                          
      def test_aws_token_redacted(self):                                                                                                  
          """Verify that aws tokens are redacted when logged."""                                                                          
 +        self.skipTest('skipping for now...')                                                                                            
          ds = self._setup_ds(                                                                                                            
              platform_data=self.valid_platform_data,                                                                                     
              sys_cfg={'datasource': {'Ec2': {'strict_id': False}}},

Reply to:

References:
- Bug#954363: cloud-init fails to obtain an IMDS API token on Amazon EC2
  - From: Noah Meyerhans <noahm@debian.org>

Prev by Date: Processed: Re: Bug#954363: cloud-init fails to obtain an IMDS API token on Amazon EC2
Next by Date: Processed: tagging 954276, bug 954276 is forwarded to https://bugs.launchpad.net/cloud-init/+bug/1868327
Previous by thread: Processed: Re: Bug#954363: cloud-init fails to obtain an IMDS API token on Amazon EC2
Next by thread: Bug#954363: marked as done (cloud-init fails to obtain an IMDS API token on Amazon EC2)
Index(es):
- Date
- Thread