I am writing to inquire about the support of IMDSv2 through instance profiles in Discourse. We are in the process of migrating our service to use IMDSv2, as IMDSv1 is not an secure option.
We would like to understand if Discourse currently supports IMDSv2 through instance profiles and if not, what are the plans to support it in the near future. Additionally, are there any workarounds or patches available that would allow us to use IMDSv2 with Discourse?
It is important for us to ensure that our security requirements are met, and we believe that using temporary credentials through IMDSv2 is a critical aspect of that.
Desired behavior for accessing security credentials provided through the instance profile is
An application on the instance retrieves the security credentials provided by the role from the instance metadata item iam/security-credentials/role-name.
The application is granted the permissions for the actions and resources that we have defined for the role through the security credentials associated with the role. These security credentials are temporary and are rotated automatically. We make new credentials available at least five minutes before the expiration of the old credentials.
We have noted that there are differences between the IMDSv1 and IMDSv2 calls.
I’m not aware of any way that Discourse itself uses IMDS. Have you installed Discourse on AWS somehow? Are you somehow using IMDSv1 with Discourse already?
Discourse uses a version of the AWS SDK (3.130.2) above the minimum required to support IMDSv2 and from what I can tell looking at the MetadataNoToken metric in our AWS deployments, we have no calls to IMDSv1.
From what I can tell we’re already using IMDSv2 everywhere.
We started using Discourse on an AWS EC2 instance a year ago. And this week we updated our instance to only use IMDSv2, this broke our AWS S3 uploads with the error message “unable to sign request without credentials set”. We also utilise the “s3 use iam profile” setting.
The local IMDS service is used by Discourse to get credentials for doing other AWS related service API calls. This is done using Ruby aws-sdk-s3
We are also seeing this backup issue after disabling IMDSv1 due to security reasons.
We can see the use of IMDSv1 (in 3.3.0.beta1-dev) via the MetadataNoToken metric, so we are wondering what version of Discourse switched to using v2 everywhere?
We too were bitten by this today once we changed our AWS instance to use IMDSv2 only: our users could no longer upload images to S3.
Probably relevant here: we are also using the s3 use iam profile option.
For now we switched it to “Optional” which basically means IMDSv1 is still enabled which isn’t the best security wise, but that made uploads work again.