IMDSv2 Support

chocecil · July 21, 2023, 9:50am

I am writing to inquire about the support of IMDSv2 through instance profiles in Discourse. We are in the process of migrating our service to use IMDSv2, as IMDSv1 is not an secure option.

We would like to understand if Discourse currently supports IMDSv2 through instance profiles and if not, what are the plans to support it in the near future. Additionally, are there any workarounds or patches available that would allow us to use IMDSv2 with Discourse?

It is important for us to ensure that our security requirements are met, and we believe that using temporary credentials through IMDSv2 is a critical aspect of that.

Desired behavior for accessing security credentials provided through the instance profile is

An application on the instance retrieves the security credentials provided by the role from the instance metadata item iam/security-credentials/ role-name.
The application is granted the permissions for the actions and resources that we have defined for the role through the security credentials associated with the role. These security credentials are temporary and are rotated automatically. We make new credentials available at least five minutes before the expiration of the old credentials.

We have noted that there are differences between the IMDSv1 and IMDSv2 calls.

IMDSv1 call:

curl http://169.254.169.254/latest/meta-data/iam/security-credentials/s3access

While the IMDSv2 call requires the use of a metadata token, and can be made using the following commands:

TOKEN=`curl -X PUT "<http://169.254.169.254/latest/api/token>" -H "X-aws-ec2-metadata-token-ttl-seconds: 21600"` \\\\\\\\
&& curl -H "X-aws-ec2-metadata-token: $TOKEN" -v <http://169.254.169.254/latest/meta-data/iam/security-credentials/s3access>

We would appreciate any information you can provide on how we can use IMDSv2 with Discourse, or if there are any workarounds or patches available.

Reference:

IMDSv2 Migration : Transition to using Instance Metadata Service Version 2 - Amazon Elastic Compute Cloud

pfaffman · July 21, 2023, 7:01pm

I’m not aware of any way that Discourse itself uses IMDS. Have you installed Discourse on AWS somehow? Are you somehow using IMDSv1 with Discourse already?

What is your use case?

chocecil · July 21, 2023, 7:47pm

I found one related code.

github.com

discourse/discourse/blob/v3.1.0.beta5/spec/lib/s3_helper_spec.rb#L39


      
                </Rule>
              </LifecycleConfiguration>
            XML
          end
          
          it "can correctly set the purge policy" do
            SiteSetting.s3_configure_tombstone_policy = true
          
            stub_request(
              :get,
              "http://169.254.169.254/latest/meta-data/iam/security-credentials/",
            ).to_return(status: 404, body: "", headers: {})
          
            stub_request(
              :get,
              "https://bob.s3.#{SiteSetting.s3_region}.amazonaws.com/?lifecycle",
            ).to_return(status: 200, body: @lifecycle, headers: {})
          
            stub_request(:put, "https://bob.s3.#{SiteSetting.s3_region}.amazonaws.com/?lifecycle")
              .with do |req|
                hash = Hash.from_xml(req.body.to_s)

supermathie · July 25, 2023, 7:32pm

This is in the testing spec.

Discourse uses a version of the AWS SDK (3.130.2) above the minimum required to support IMDSv2 and from what I can tell looking at the MetadataNoToken metric in our AWS deployments, we have no calls to IMDSv1.

From what I can tell we’re already using IMDSv2 everywhere.

Hans_Homan · July 10, 2024, 7:30am

We started using Discourse on an AWS EC2 instance a year ago. And this week we updated our instance to only use IMDSv2, this broke our AWS S3 uploads with the error message “unable to sign request without credentials set”. We also utilise the “s3 use iam profile” setting.

The local IMDS service is used by Discourse to get credentials for doing other AWS related service API calls. This is done using Ruby aws-sdk-s3

github.com

discourse/discourse/blob/c9775d5f728b5383ea21281470a0e0032cb5e992/Gemfile.lock#L69


      
          aws-eventstream (1.3.0)
          aws-partitions (1.894.0)
          aws-sdk-core (3.191.3)
            aws-eventstream (~> 1, >= 1.3.0)
            aws-partitions (~> 1, >= 1.651.0)
            aws-sigv4 (~> 1.8)
            jmespath (~> 1, >= 1.6.1)
          aws-sdk-kms (1.77.0)
            aws-sdk-core (~> 3, >= 3.191.0)
            aws-sigv4 (~> 1.1)
          aws-sdk-s3 (1.143.0)
            aws-sdk-core (~> 3, >= 3.191.0)
            aws-sdk-kms (~> 1)
            aws-sigv4 (~> 1.8)
          aws-sdk-sns (1.72.0)
            aws-sdk-core (~> 3, >= 3.191.0)
            aws-sigv4 (~> 1.1)
          aws-sigv4 (1.8.0)
            aws-eventstream (~> 1, >= 1.0.2)
          base64 (0.2.0)
          better_errors (2.10.1)

nskerl · August 8, 2024, 5:36pm

We are also seeing this backup issue after disabling IMDSv1 due to security reasons.

We can see the use of IMDSv1 (in 3.3.0.beta1-dev) via the MetadataNoToken metric, so we are wondering what version of Discourse switched to using v2 everywhere?

Topic		Replies	Views
Discourse instance unreachable on AWS support	29	3807	April 30, 2019
OAuth2 and Microsoft ADFS support	15	7695	October 19, 2021
Configure Discourse - Environment AWS Linux 2 AMI and Apache2 (httpd) installation advanced-setup	3	1907	July 7, 2023
Configure Discourse to use a separate PostgreSQL server Self-Hosting how-to	42	26116	December 22, 2023
Support for running on Apple M1 feature	8	752	June 14, 2022

IMDSv2 Support

Related Topics