[Bug 1638312] Re: EC2 credentials are cached on disk

Wed, 08 Mar 2017 11:46:38 -0800 

In order to see the security credentials, you must launch an instance with
iam role attached (--iam-instance-profile).  Other wise they do not show up in 
the metadata service.

Ubuntu cloud-init did not actually show this bug because it read and stored
a version of the metadata service (2009-04-04) that does not have the iam/
credentials.

This can be verified simply by
$ sudo python3 -c 'from cloudinit.stages import _pkl_load as pl; import pprint; 
pprint.pprint(pl("/var/lib/cloud/instance/obj.pkl").metadata)'
{'ami-id': 'ami-78b7166e',
 'ami-launch-index': '0',
 'ami-manifest-path': '(unknown)',
 'block-device-mapping': {'ami': '/dev/sda1', 'root': '/dev/sda1'},
 'hostname': 'ip-10-0-0-160',
 'instance-action': 'none',
 'instance-id': 'i-00e90430c5dbe321c',
 'instance-type': 't2.micro',
 'local-hostname': 'ip-10-0-0-160',
 'local-ipv4': '10.0.0.160',
 'placement': {'availability-zone': 'us-east-1b'},
 'profile': 'default-hvm',
 'public-hostname': b'',
 'public-ipv4': '54.86.100.172',
 'public-keys': {'brickies': ['ssh-rsa '
                              
'AAAAB3NzaC1yc2EAAAABIwAAAQEA3I7VUf2l5gSn5uavROsc5HRDpZdQueUq5ozemNSj8T7enqKHOEaFoU2VoPgGEWC9RyzSQVeyD6s7APMcE82EtmW4skVEgEGSbDc1pvxzxtchBj78hJP6Cf5TCMFSXw+Fz5rF1dR23QDbN1mkHs7adr8GW4kSWqU7Q7NDwfIrJJtO7Hi42GyXtvEONHbiRPOe8stqUly7MvUoN+5kfjBM8Qqpfl2+FNhTYWpMfYdPUnE7u536WqzFmsaqJctz3gBxH9Ex7dFtrxR4qiqEr9Qtlu3xGn7Bw07/+i1D+ey3ONkZLN+LQ714cgj8fRS4Hj29SCmXp5Kt5/82cD/VN3NtHw==
 '
                              'brickies']},
 'reservation-id': 'r-07f18d71dc1ebd0ab',
 'security-groups': 'wide-open'}

However, the get_instance_metadata() function would show the
credentials.

$ python3 -c 'from cloudinit import ec2_utils; 
print(ec2_utils.get_instance_metadata("latest")["iam"])'
{'info': {'InstanceProfileArn': 
'arn:aws:iam::950047163771:instance-profile/smtest-ec2-ro', 
'InstanceProfileId': 'AIPAJ7VG3LHE4JOYDGNG6', 'Code': 'Success', 'LastUpdated': 
'2017-03-08T19:14:59Z'}, 'security-credentials': {'smtest-ec2-ro': {'Token': 
'FQoDY...Bxgu=', 'AccessKeyId': 'XXXXXXXXXXXXXXXXXXXX', 'Expiration': 
'2017-03-09T01:43:31Z', 'Code': 'Success', 'SecretAccessKey': 
'xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx', 'Type': 'AWS-HMAC', 'LastUpdated': 
'2017-03-08T19:14:40Z'}}}

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1638312

Title:
  EC2 credentials are cached on disk

To manage notifications about this bug go to:
https://bugs.launchpad.net/cloud-init/+bug/1638312/+subscriptions

-- 
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

Reply via email to