[
https://issues.apache.org/jira/browse/KUDU-3644?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Alexey Serbin updated KUDU-3644:
--------------------------------
Description:
The original implementation of Kudu's VM instance detection in AWS public cloud
targeted EC2 Instance Metadata Service v1 (IMDSv1), but for a few years already
only IMDSv2 is available for a newly created VM in EC2. The IMDSv2 API
requires authentication for all the calls to the metadata service.
It's necessary to update the implementation to take care of this. Essentially,
it's necessary to first acquire an authn token via issuing a preliminary HTTP
PUT request, and supply the token with all requests to the instance metadata
service.
This is how it works in a command line session using curl, as described at [1]
{noformat}
TOKEN=`curl -X PUT "http://169.254.169.254/latest/api/token"; -H
"X-aws-ec2-metadata-token-ttl-seconds: 21600"`
curl http://169.254.169.254/latest/meta-data/profile -H
"X-aws-ec2-metadata-token: $TOKEN"
{noformat}
Without an authn token, the current implementation receives HTTP 401 response
while trying to fetch instance-id from IMDS, similar to what's reported at [2].
For more details, see [3].
#
[https://aws.amazon.com/blogs/security/defense-in-depth-open-firewalls-reverse-proxies-ssrf-vulnerabilities-ec2-instance-metadata-service/|https://aws.amazon.com/blogs/security/defense-in-depth-open-firewalls-reverse-proxies-ssrf-vulnerabilities-ec2-instance-metadata-service/].
# [I am getting 401 - Unauthorized when I hit meta-data
API|https://repost.aws/questions/QUnvPR1W46TS6wQWdf1sK82w/i-am-getting-401-unauthorized-when-i-hit-meta-data-api]
# [Use instance metadata to manage your EC2
instance|https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/configuring-instance-metadata-service.html]
was:
The original implementation of Kudu's VM instance detection in AWS public cloud
targeted EC2 Instance Metadata Service v1 (IMDSv1), but for a few years already
only IMDSv2 is available for a newly created VM in EC2. The IMDSv2 API
requires authentication for all the calls to the metadata service.
It's necessary to update the implementation to take care of this. Essentially,
it's necessary to first acquire an authn token via issuing a preliminary HTTP
PUT request, and supply the token with all requests to the instance metadata
service.
This is how it works in a command line session using curl, as described at [1]
{noformat}
TOKEN=`curl -X PUT "http://169.254.169.254/latest/api/token"; -H
"X-aws-ec2-metadata-token-ttl-seconds: 21600"`
curl http://169.254.169.254/latest/meta-data/profile -H
"X-aws-ec2-metadata-token: $TOKEN"
{noformat}
Without an authn token, the current implementation receives HTTP 401 response
while trying to fetch instance-id from IMDS, similar to what's reported at [2].
#
[https://aws.amazon.com/blogs/security/defense-in-depth-open-firewalls-reverse-proxies-ssrf-vulnerabilities-ec2-instance-metadata-service/|https://aws.amazon.com/blogs/security/defense-in-depth-open-firewalls-reverse-proxies-ssrf-vulnerabilities-ec2-instance-metadata-service/].
# [I am getting 401 - Unauthorized when I hit meta-data
API|https://repost.aws/questions/QUnvPR1W46TS6wQWdf1sK82w/i-am-getting-401-unauthorized-when-i-hit-meta-data-api]
> Update VM instance detector to handle AWS IMDSv2
> ------------------------------------------------
>
> Key: KUDU-3644
> URL: https://issues.apache.org/jira/browse/KUDU-3644
> Project: Kudu
> Issue Type: Improvement
> Components: ntp-client
> Reporter: Alexey Serbin
> Priority: Major
>
> The original implementation of Kudu's VM instance detection in AWS public
> cloud targeted EC2 Instance Metadata Service v1 (IMDSv1), but for a few years
> already only IMDSv2 is available for a newly created VM in EC2. The IMDSv2
> API requires authentication for all the calls to the metadata service.
> It's necessary to update the implementation to take care of this.
> Essentially, it's necessary to first acquire an authn token via issuing a
> preliminary HTTP PUT request, and supply the token with all requests to the
> instance metadata service.
> This is how it works in a command line session using curl, as described at [1]
> {noformat}
> TOKEN=`curl -X PUT "http://169.254.169.254/latest/api/token"; -H
> "X-aws-ec2-metadata-token-ttl-seconds: 21600"`
> curl http://169.254.169.254/latest/meta-data/profile -H
> "X-aws-ec2-metadata-token: $TOKEN"
> {noformat}
> Without an authn token, the current implementation receives HTTP 401 response
> while trying to fetch instance-id from IMDS, similar to what's reported at
> [2]. For more details, see [3].
> #
> [https://aws.amazon.com/blogs/security/defense-in-depth-open-firewalls-reverse-proxies-ssrf-vulnerabilities-ec2-instance-metadata-service/|https://aws.amazon.com/blogs/security/defense-in-depth-open-firewalls-reverse-proxies-ssrf-vulnerabilities-ec2-instance-metadata-service/].
> # [I am getting 401 - Unauthorized when I hit meta-data
> API|https://repost.aws/questions/QUnvPR1W46TS6wQWdf1sK82w/i-am-getting-401-unauthorized-when-i-hit-meta-data-api]
> # [Use instance metadata to manage your EC2
> instance|https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/configuring-instance-metadata-service.html]
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
