Alexey Serbin created KUDU-3644:
-----------------------------------
Summary: Update VM instance detector to handle AWS IMDSv2
Key: KUDU-3644
URL: https://issues.apache.org/jira/browse/KUDU-3644
Project: Kudu
Issue Type: Improvement
Components: ntp-client
Reporter: Alexey Serbin
The original implementation of Kudu's VM instance detection in AWS public cloud
targeted EC2 Instance Metadata Service v1 (IMDSv1), but for a few years already
only IMDSv2 is available for a newly created VM in EC2. The IMDSv2 API
requires authentication for all the calls to the metadata service.
It's necessary to update the implementation to take care of this. Essentially,
it's necessary to first acquire an authn token via issuing a preliminary HTTP
PUT request, and supply the token with all requests to the instance metadata
service.
This is how it works in a command line session using curl, as described at [1]
{noformat}
TOKEN=`curl -X PUT "http://169.254.169.254/latest/api/token"; -H
"X-aws-ec2-metadata-token-ttl-seconds: 21600"`
curl http://169.254.169.254/latest/meta-data/profile -H
"X-aws-ec2-metadata-token: $TOKEN"
{noformat}
1.
[https://aws.amazon.com/blogs/security/defense-in-depth-open-firewalls-reverse-proxies-ssrf-vulnerabilities-ec2-instance-metadata-service/|https://aws.amazon.com/blogs/security/defense-in-depth-open-firewalls-reverse-proxies-ssrf-vulnerabilities-ec2-instance-metadata-service/].
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
