Skip to content
This repository was archived by the owner on Jul 31, 2025. It is now read-only.

Commit 4886ffc

Browse files
lucix-awslucix-aws
authored
Merge pull request #5015 from aws/feat-disableimdsv1config
add configs to disable imdsv1 fallback
2 parents 78aeb73 + 2ad137a commit 4886ffc

File tree

7 files changed

+113
-1
lines changed

7 files changed

+113
-1
lines changed

CHANGELOG_PENDING.md

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1,5 +1,7 @@
11
### SDK Features
22

33
### SDK Enhancements
4+
* `aws/ec2metadata`: Added environment and shared config support for disabling IMDSv1 fallback.
5+
* Use env `AWS_EC2_METADATA_V1_DISABLED` or shared config `ec2_metadata_v1_disabled` accordingly.
46

57
### SDK Bugs

aws/session/env_config.go

Lines changed: 28 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -171,6 +171,12 @@ type envConfig struct {
171171
// AWS_EC2_METADATA_SERVICE_ENDPOINT_MODE=IPv6
172172
EC2IMDSEndpointMode endpoints.EC2IMDSEndpointModeState
173173

174+
// Specifies that IMDS clients should not fallback to IMDSv1 if token
175+
// requests fail.
176+
//
177+
// AWS_EC2_METADATA_V1_DISABLED=true
178+
EC2IMDSv1Disabled *bool
179+
174180
// Specifies that SDK clients must resolve a dual-stack endpoint for
175181
// services.
176182
//
@@ -251,6 +257,9 @@ var (
251257
ec2IMDSEndpointModeEnvKey = []string{
252258
"AWS_EC2_METADATA_SERVICE_ENDPOINT_MODE",
253259
}
260+
ec2MetadataV1DisabledEnvKey = []string{
261+
"AWS_EC2_METADATA_V1_DISABLED",
262+
}
254263
useCABundleKey = []string{
255264
"AWS_CA_BUNDLE",
256265
}
@@ -393,6 +402,7 @@ func envConfigLoad(enableSharedConfig bool) (envConfig, error) {
393402
if err := setEC2IMDSEndpointMode(&cfg.EC2IMDSEndpointMode, ec2IMDSEndpointModeEnvKey); err != nil {
394403
return envConfig{}, err
395404
}
405+
setBoolPtrFromEnvVal(&cfg.EC2IMDSv1Disabled, ec2MetadataV1DisabledEnvKey)
396406

397407
if err := setUseDualStackEndpointFromEnvVal(&cfg.UseDualStackEndpoint, awsUseDualStackEndpoint); err != nil {
398408
return cfg, err
@@ -414,6 +424,24 @@ func setFromEnvVal(dst *string, keys []string) {
414424
}
415425
}
416426

427+
func setBoolPtrFromEnvVal(dst **bool, keys []string) {
428+
for _, k := range keys {
429+
value := os.Getenv(k)
430+
if len(value) == 0 {
431+
continue
432+
}
433+
434+
switch {
435+
case strings.EqualFold(value, "false"):
436+
*dst = new(bool)
437+
**dst = false
438+
case strings.EqualFold(value, "true"):
439+
*dst = new(bool)
440+
**dst = true
441+
}
442+
}
443+
}
444+
417445
func setEC2IMDSEndpointMode(mode *endpoints.EC2IMDSEndpointModeState, keys []string) error {
418446
for _, k := range keys {
419447
value := os.Getenv(k)

aws/session/env_config_test.go

Lines changed: 30 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -9,6 +9,7 @@ import (
99
"strconv"
1010
"testing"
1111

12+
"github.com/aws/aws-sdk-go/aws"
1213
"github.com/aws/aws-sdk-go/aws/credentials"
1314
"github.com/aws/aws-sdk-go/aws/endpoints"
1415
"github.com/aws/aws-sdk-go/awstesting"
@@ -467,6 +468,35 @@ func TestLoadEnvConfig(t *testing.T) {
467468
},
468469
WantErr: true,
469470
},
471+
33: {
472+
Env: map[string]string{
473+
"AWS_EC2_METADATA_V1_DISABLED": "fAlSe",
474+
},
475+
Config: envConfig{
476+
SharedCredentialsFile: shareddefaults.SharedCredentialsFilename(),
477+
SharedConfigFile: shareddefaults.SharedConfigFilename(),
478+
EC2IMDSv1Disabled: aws.Bool(false),
479+
},
480+
},
481+
34: {
482+
Env: map[string]string{
483+
"AWS_EC2_METADATA_V1_DISABLED": "tRuE",
484+
},
485+
Config: envConfig{
486+
SharedCredentialsFile: shareddefaults.SharedCredentialsFilename(),
487+
SharedConfigFile: shareddefaults.SharedConfigFilename(),
488+
EC2IMDSv1Disabled: aws.Bool(true),
489+
},
490+
},
491+
35: {
492+
Env: map[string]string{
493+
"AWS_EC2_METADATA_V1_DISABLED": "invalid",
494+
},
495+
Config: envConfig{
496+
SharedCredentialsFile: shareddefaults.SharedCredentialsFilename(),
497+
SharedConfigFile: shareddefaults.SharedConfigFilename(),
498+
},
499+
},
470500
}
471501

472502
for i, c := range cases {

aws/session/session.go

Lines changed: 8 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -779,6 +779,14 @@ func mergeConfigSrcs(cfg, userCfg *aws.Config,
779779
cfg.EndpointResolver = wrapEC2IMDSEndpoint(cfg.EndpointResolver, ec2IMDSEndpoint, endpointMode)
780780
}
781781

782+
cfg.EC2MetadataEnableFallback = userCfg.EC2MetadataEnableFallback
783+
if cfg.EC2MetadataEnableFallback == nil && envCfg.EC2IMDSv1Disabled != nil {
784+
cfg.EC2MetadataEnableFallback = aws.Bool(!*envCfg.EC2IMDSv1Disabled)
785+
}
786+
if cfg.EC2MetadataEnableFallback == nil && sharedCfg.EC2IMDSv1Disabled != nil {
787+
cfg.EC2MetadataEnableFallback = aws.Bool(!*sharedCfg.EC2IMDSv1Disabled)
788+
}
789+
782790
cfg.S3UseARNRegion = userCfg.S3UseARNRegion
783791
if cfg.S3UseARNRegion == nil {
784792
cfg.S3UseARNRegion = &envCfg.S3UseARNRegion

aws/session/shared_config.go

Lines changed: 10 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -80,6 +80,9 @@ const (
8080
// EC2 IMDS Endpoint
8181
ec2MetadataServiceEndpointKey = "ec2_metadata_service_endpoint"
8282

83+
// ECS IMDSv1 disable fallback
84+
ec2MetadataV1DisabledKey = "ec2_metadata_v1_disabled"
85+
8386
// Use DualStack Endpoint Resolution
8487
useDualStackEndpoint = "use_dualstack_endpoint"
8588

@@ -179,6 +182,12 @@ type sharedConfig struct {
179182
// ec2_metadata_service_endpoint=http://fd00:ec2::254
180183
EC2IMDSEndpoint string
181184

185+
// Specifies that IMDS clients should not fallback to IMDSv1 if token
186+
// requests fail.
187+
//
188+
// ec2_metadata_v1_disabled=true
189+
EC2IMDSv1Disabled *bool
190+
182191
// Specifies that SDK clients must resolve a dual-stack endpoint for
183192
// services.
184193
//
@@ -434,6 +443,7 @@ func (cfg *sharedConfig) setFromIniFile(profile string, file sharedConfigFile, e
434443
ec2MetadataServiceEndpointModeKey, file.Filename, err)
435444
}
436445
updateString(&cfg.EC2IMDSEndpoint, section, ec2MetadataServiceEndpointKey)
446+
updateBoolPtr(&cfg.EC2IMDSv1Disabled, section, ec2MetadataV1DisabledKey)
437447

438448
updateUseDualStackEndpoint(&cfg.UseDualStackEndpoint, section, useDualStackEndpoint)
439449

aws/session/shared_config_test.go

Lines changed: 25 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -11,6 +11,7 @@ import (
1111
"strings"
1212
"testing"
1313

14+
"github.com/aws/aws-sdk-go/aws"
1415
"github.com/aws/aws-sdk-go/aws/credentials"
1516
"github.com/aws/aws-sdk-go/aws/endpoints"
1617
"github.com/aws/aws-sdk-go/internal/ini"
@@ -411,6 +412,30 @@ func TestLoadSharedConfig(t *testing.T) {
411412
Profile: "sso-session-not-exist",
412413
Err: fmt.Errorf("failed to find SSO session section, sso-session-lost"),
413414
},
415+
{
416+
Filenames: []string{testConfigFilename},
417+
Profile: "ec2-metadata-v1-disabled-false",
418+
Expected: sharedConfig{
419+
Profile: "ec2-metadata-v1-disabled-false",
420+
EC2IMDSv1Disabled: aws.Bool(false),
421+
},
422+
},
423+
{
424+
Filenames: []string{testConfigFilename},
425+
Profile: "ec2-metadata-v1-disabled-true",
426+
Expected: sharedConfig{
427+
Profile: "ec2-metadata-v1-disabled-true",
428+
EC2IMDSv1Disabled: aws.Bool(true),
429+
},
430+
},
431+
{
432+
Filenames: []string{testConfigFilename},
433+
Profile: "ec2-metadata-v1-disabled-invalid",
434+
Expected: sharedConfig{
435+
Profile: "ec2-metadata-v1-disabled-invalid",
436+
EC2IMDSv1Disabled: aws.Bool(false),
437+
},
438+
},
414439
}
415440

416441
for i, c := range cases {

aws/session/testdata/shared_config

Lines changed: 10 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -203,4 +203,13 @@ sso_registration_scopes = sso:account:access
203203
region = us-east-1
204204
sso_session = sso-session-lost
205205
sso_account_id = 123456789012
206-
sso_role_name = testRole
206+
sso_role_name = testRole
207+
208+
[profile ec2-metadata-v1-disabled-false]
209+
ec2_metadata_v1_disabled=False
210+
211+
[profile ec2-metadata-v1-disabled-true]
212+
ec2_metadata_v1_disabled=True
213+
214+
[profile ec2-metadata-v1-disabled-invalid]
215+
ec2_metadata_v1_disabled=invalid

0 commit comments

Comments
 (0)