On Tue, Sep 02, 2025 at 09:21:13AM +0100, kuLa wrote: > > Under "normal" circumstances, anyone has access to a VM's metadata. It'd > > be nice to restrict access to it for only the VM (ie: do not accept > > forwarding) and only from root. This could be done this way: > > From my experience not only root need access to metadata, there is potentially > whole host of scripts and automation user side using it as well.
My feeling is that access to IMDS is a matter of policy that should be left to the administrator responsible for the deployment. As long as we provide a decent mechanism to control this policy, which we do in the form of cloud-init's "Disable EC2 Instance Metadata Service" module, we're good. (I realize that this doesn't do exactly what was proposed; if admins want finer grained control, they do still have other mechanisms like runcmd or custom scripting.) There is potentially a discussion to be had about the *default* policy that we want to apply in our images. I'd welcome that discussion, but that'd be a forky change. Changing it at this point in the trixie lifecycle would be too disruptive. noah
