Control: tags -1 + upstream > 2020-03-20 18:25:10,332 - url_helper.py[DEBUG]: [0/1] open > 'http://169.254.169.254/latest/api/token' with {'url': > 'http://169.254.169.254/latest/api/token', 'allow_redirects': True, 'method': > 'PUT', 'timeout': 1.0, 'headers': {'User-Agent': 'Cloud-Init/20.1', > 'X-aws-ec2-metadata-token-ttl-seconds': 'REDACTED'}} configuration
It seems that the "redaction" of the X-aws-ec2-metadata-token-ttl-seconds header value happens before the actual request is made, so where the IMDS server expects a TTL in seconds, cloud-init actually passes it the literal string "REDACTED". Unsurprisingly, this fails. I've verified this by avoiding the redacting, via the attached patch. This isn't an ideal solution, as it avoids all redacting. The intent of cloud-init's behavior is to avoid storing IMDS API tokens in the logs, which is sensible, and is broken by my change. noah
diff --git a/debian/patches/no-redact-imds-headers.patch b/debian/patches/no-redact-imds-headers.patch new file mode 100644 index 00000000..26195c02 --- /dev/null +++ b/debian/patches/no-redact-imds-headers.patch @@ -0,0 +1,25 @@ Index: cloud-init/cloudinit/sources/DataSourceEc2.py =================================================================== --- cloud-init.orig/cloudinit/sources/DataSourceEc2.py +++ cloud-init/cloudinit/sources/DataSourceEc2.py @@ -32,7 +32,7 @@ API_TOKEN_ROUTE = 'latest/api/token' AWS_TOKEN_TTL_SECONDS = '21600' AWS_TOKEN_PUT_HEADER = 'X-aws-ec2-metadata-token' AWS_TOKEN_REQ_HEADER = AWS_TOKEN_PUT_HEADER + '-ttl-seconds' -AWS_TOKEN_REDACT = [AWS_TOKEN_PUT_HEADER, AWS_TOKEN_REQ_HEADER] +AWS_TOKEN_REDACT = [] class CloudNames(object): Index: cloud-init/tests/unittests/test_datasource/test_ec2.py =================================================================== --- cloud-init.orig/tests/unittests/test_datasource/test_ec2.py +++ cloud-init/tests/unittests/test_datasource/test_ec2.py @@ -479,6 +479,7 @@ class TestEc2(test_helpers.HttprettyTest def test_aws_token_redacted(self): """Verify that aws tokens are redacted when logged.""" + self.skipTest('skipping for now...') ds = self._setup_ds( platform_data=self.valid_platform_data, sys_cfg={'datasource': {'Ec2': {'strict_id': False}}},