|
|
@ -209,75 +209,33 @@ _use_container_role() { |
|
|
|
_use_instance_role() { |
|
|
|
# https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/configuring-instance-metadata-service.html |
|
|
|
# https://aws.amazon.com/blogs/security/get-the-full-benefits-of-imdsv2-and-disable-imdsv1-across-your-aws-infrastructure/ |
|
|
|
_url="http://169.254.169.254/latest/meta-data/" |
|
|
|
_response=$(curl --write-out "%{http_code}\n" -s -HEAD $_url) |
|
|
|
_debug "_response" "$_response" |
|
|
|
if [ "$_response" -eq "401" ]; then |
|
|
|
_use_imdsv2_instance_role |
|
|
|
else |
|
|
|
_use_imdsv1_instance_role |
|
|
|
_instance_role_name_url="http://169.254.169.254/latest/meta-data/iam/security-credentials/" |
|
|
|
#_response=$(curl --write-out "%{http_code}\n" -s -HEAD $_url) |
|
|
|
if _get "$_instance_role_name_url" true 1 | _head_n 1 | grep -Fq 401; then |
|
|
|
_debug "Using IMDSv2" |
|
|
|
_token_url="http://169.254.169.254/latest/api/token" |
|
|
|
export _H1="X-aws-ec2-metadata-token-ttl-seconds: 21600" |
|
|
|
_token="$(_post "" "$_token_url" "" "PUT")" |
|
|
|
_debug "_token" "$_token" |
|
|
|
if [ -z "$_token" ]; then |
|
|
|
_debug "Unable to fetch IMDSv2 token from instance metadata" |
|
|
|
return 1 |
|
|
|
fi |
|
|
|
export _H1="X-aws-ec2-metadata-token: $_token" |
|
|
|
fi |
|
|
|
} |
|
|
|
|
|
|
|
_use_imdsv2_instance_role() { |
|
|
|
_request_token_url="http://169.254.169.254/latest/api/token" |
|
|
|
_instance_role_url="http://169.254.169.254/latest/meta-data/iam" |
|
|
|
_request_token="$(curl -s -X PUT "$_request_token_url" -H "X-aws-ec2-metadata-token-ttl-seconds: 21600")" |
|
|
|
_debug "_request_token" "$_request_token" |
|
|
|
if [ -z "$_request_token" ]; then |
|
|
|
_debug "Unable to fetch IMDSv2 token from instance metadata" |
|
|
|
if ! _get "$_instance_role_name_url" true 1 | _head_n 1 | grep -Fq 200; then |
|
|
|
_debug "Unable to fetch IAM role from instance metadata" |
|
|
|
return 1 |
|
|
|
fi |
|
|
|
_instance_role_name="$(curl -s -H "X-aws-ec2-metadata-token: $_request_token" http://169.254.169.254/latest/meta-data/iam/security-credentials/)" |
|
|
|
_instance_role_name=$(_get "$_instance_role_name_url" "" 1) |
|
|
|
_debug "_instance_role_name" "$_instance_role_name" |
|
|
|
if [ -z "$_instance_role_name" ]; then |
|
|
|
_debug "Unable to fetch instance role name from instance metadata" |
|
|
|
return 1 |
|
|
|
fi |
|
|
|
_use_metadata_imdsv2 "http://169.254.169.254/latest/meta-data/iam/security-credentials/$_instance_role_name" "$_request_token" |
|
|
|
} |
|
|
|
|
|
|
|
_use_metadata_imdsv2() { |
|
|
|
_aws_creds="$( |
|
|
|
curl -s -H "X-aws-ec2-metadata-token: $2" "$1" | |
|
|
|
_normalizeJson | |
|
|
|
tr '{,}' '\n' | |
|
|
|
while read -r _line; do |
|
|
|
_key="$(echo "${_line%%:*}" | tr -d '"')" |
|
|
|
_value="${_line#*:}" |
|
|
|
_debug3 "_key" "$_key" |
|
|
|
_secure_debug3 "_value" "$_value" |
|
|
|
case "$_key" in |
|
|
|
AccessKeyId) echo "AWS_ACCESS_KEY_ID=$_value" ;; |
|
|
|
SecretAccessKey) echo "AWS_SECRET_ACCESS_KEY=$_value" ;; |
|
|
|
Token) echo "AWS_SESSION_TOKEN=$_value" ;; |
|
|
|
esac |
|
|
|
done | |
|
|
|
paste -sd' ' - |
|
|
|
)" |
|
|
|
_secure_debug "_aws_creds" "$_aws_creds" |
|
|
|
|
|
|
|
if [ -z "$_aws_creds" ]; then |
|
|
|
return 1 |
|
|
|
fi |
|
|
|
|
|
|
|
eval "$_aws_creds" |
|
|
|
_using_role=true |
|
|
|
} |
|
|
|
|
|
|
|
_use_imdsv1_instance_role() { |
|
|
|
_url="http://169.254.169.254/latest/meta-data/iam/security-credentials/" |
|
|
|
_debug "_url" "$_url" |
|
|
|
if ! _get "$_url" true 1 | _head_n 1 | grep -Fq 200; then |
|
|
|
_debug "Unable to fetch IAM role from instance metadata" |
|
|
|
return 1 |
|
|
|
fi |
|
|
|
_aws_role=$(_get "$_url" "" 1) |
|
|
|
_debug "_aws_role" "$_aws_role" |
|
|
|
_use_metadata_imdsv1 "$_url$_aws_role" |
|
|
|
_use_metadata "$_instance_role_name_url$_instance_role_name" "$_token" |
|
|
|
} |
|
|
|
|
|
|
|
_use_metadata_imdsv1() { |
|
|
|
_use_metadata() { |
|
|
|
export _H1="X-aws-ec2-metadata-token: $2" |
|
|
|
_aws_creds="$( |
|
|
|
_get "$1" "" 1 | |
|
|
|
_normalizeJson | |
|
|
|