crepererum commented on code in PR #2610:
URL: https://github.com/apache/arrow-rs/pull/2610#discussion_r958363403
##########
object_store/src/aws/mod.rs:
##########
@@ -446,6 +447,23 @@ impl AmazonS3Builder {
self
}
+ /// By default instance credentials will only be fetched over [IMDSv2], as
AWS recommends
+ /// against having IMDSv1 enabled on EC2 instances as it is vulnerable to
[SSRF attack]
+ ///
+ /// However, certain deployment environments, such as those running old
versions of kube2iam,
+ /// may not support IMDSv2. This option will enable automatic fallback to
using IMDSv1
+ /// if the token endpoint returns a 403 error indicating that IMDSv2 is
not supported.
+ ///
+ /// This option has no effect if not using instance credentials
+ ///
+ /// [IMDSv2]:
[https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/configuring-instance-metadata-service.html]
+ /// [SSRF attack]:
[https://aws.amazon.com/blogs/security/defense-in-depth-open-firewalls-reverse-proxies-ssrf-vulnerabilities-ec2-instance-metadata-service/]
Review Comment:
I really like that you describe the implications here and include some
really helpful links to official docs :+1:
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
