I am writing to inquire about the support of IMDSv2 through instance profiles in Discourse. We are in the process of migrating our service to use IMDSv2, as IMDSv1 is not an secure option.
We would like to understand if Discourse currently supports IMDSv2 through instance profiles and if not, what are the plans to support it in the near future. Additionally, are there any workarounds or patches available that would allow us to use IMDSv2 with Discourse?
It is important for us to ensure that our security requirements are met, and we believe that using temporary credentials through IMDSv2 is a critical aspect of that.
Desired behavior for accessing security credentials provided through the instance profile is
- An application on the instance retrieves the security credentials provided by the role from the instance metadata item
iam/security-credentials/role-name. - The application is granted the permissions for the actions and resources that we have defined for the role through the security credentials associated with the role. These security credentials are temporary and are rotated automatically. We make new credentials available at least five minutes before the expiration of the old credentials.
We have noted that there are differences between the IMDSv1 and IMDSv2 calls.
IMDSv1 call:
curl http://169.254.169.254/latest/meta-data/iam/security-credentials/s3access
While the IMDSv2 call requires the use of a metadata token, and can be made using the following commands:
TOKEN=`curl -X PUT "<http://169.254.169.254/latest/api/token>" -H "X-aws-ec2-metadata-token-ttl-seconds: 21600"` \\\\\\\\
&& curl -H "X-aws-ec2-metadata-token: $TOKEN" -v <http://169.254.169.254/latest/meta-data/iam/security-credentials/s3access>
We would appreciate any information you can provide on how we can use IMDSv2 with Discourse, or if there are any workarounds or patches available.
Reference: