Uploaded image for project: 'Facter'
  1. Facter
  2. FACT-3042

Facter should retrieve EC2 metadata using IMDSv2 without requring user configuration

    XMLWordPrintable

    Details

    • Type: Improvement
    • Status: Resolved
    • Priority: Normal
    • Resolution: Fixed
    • Affects Version/s: FACT 4.0.47
    • Fix Version/s: FACT 4.2.1
    • Component/s: None
    • Labels:
    • Template:
    • Team:
      Night's Watch
    • Story Points:
      2
    • Sprint:
      NW - 2021-06-02
    • Release Notes:
      Enhancement
    • Release Notes Summary:
      Hide
      Change the way Facter retrieves ec2_metadata by favoring IMDSv2 over IMDSv1. This is achieved by trying to retrieve an AWS token
      and add it to the X-aws-ec2-metadata-token header.
      If the token cannot be retrieved, IMDSv1 is used.
      Show
      Change the way Facter retrieves ec2_metadata by favoring IMDSv2 over IMDSv1. This is achieved by trying to retrieve an AWS token and add it to the X-aws-ec2-metadata-token header. If the token cannot be retrieved, IMDSv1 is used.
    • QA Risk Assessment:
      Needs Assessment

      Description

      FACT-2306 introduced support for v2 of the EC2 Instance Meta Data Service. However, this support has to be explicitly enabled by setting the AWS_IMDSv2 environment variable to true.

      The environment variable requirement creates two points of friction:

      • Using an environment variable instead of an entry in the Facter configuration makes it easy to get differing behavior depending on execution context. The environment that the puppet service receives is configured with a different set of files from that of a user shell which leads to inconsistent behavior.
      • Requiring an environment variable makes AWS instances with HttpTokens=required special in that they require post-installation configuration that existing installation methods, like the puppet_agent module or PE install scripts, do not automate.

      If possible, Facter should use IMDSv2 automatically when available. Otherwise, Facter should allow IMDSv2 to be controlled by a configuration setting.

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              gheorghe.popescu Gheorghe Popescu
              Reporter:
              chuck Charlie Sharpsteen
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved:

                  Zendesk Support