Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

AWS EC2 IMDS Traits #2505

Open
commiterate opened this issue Feb 4, 2025 · 0 comments
Open

AWS EC2 IMDS Traits #2505

commiterate opened this issue Feb 4, 2025 · 0 comments
Labels
feature-request A feature should be added or improved.

Comments

@commiterate
Copy link

commiterate commented Feb 4, 2025
edited
Loading

Overview

Add an aws.auth#imdsv2 trait.

An aws.protocols#imds trait is up in the air since the IMDS response format is all over the place (some are text/plain responses, some are newline-separate values, some are OpenSSH authorized key files, some are JSON).

IMDSv2 uses a session token that requests include in the X-aws-ec2-metadata-token HTTP header.

Background

Offshoot from aws/aws-cli#9266.

The AWS SDKs implement an IMDS client. This is used to support IMDS region + credentials providers.

Each SDK needs to implement these by hand instead of auto-generating them.

Some AWS SDKs expose the IMDS client to let users make IMDS calls without having to worry about fetching + caching session tokens. For example:

The idea is for the IMDS client to be auto-generated like all other AWS services so users can use any AWS SDK or the AWS CLI to handle IMDS session token caching while making direct IMDS calls.

Modeling IMDS in Smithy is a separate thing and probably tricky to do since IMDS categories have no associated operation name like AWS services, though all of them can be Get* operations (the only PUT operation is to get an IMDSv2 session token) since IMDS is read-only.

Endpoint distribution is also a bit weird since IMDS is an IPv4 link local address (169.254.169.254) or IPv6 unique local address ([fd00:ec2::254]) depending on the VPC and ENI configuration, not a DNS name (e.g. ec2.amazonaws.com). Might be fine if this can just piggyback on logic handling AWS service single + dual-stack DNS names.

This endpoint situation gets weirder with other AWS compute environment metadata services like the Lambda runtime, extension, and telemetry APIs (base endpoint exposed as an environment variable).

(cc: @Lu-David @LikithaVemulapalli who maintain aws/amazon-ec2-metadata-mock for EC2 Nitro IMDS side discussions. Not sure if the public-facing IMDS API definitions are kept with the other EC2 Nitro card microservice API definitions. Should be an internal discussion)
@commiterate commiterate mentioned this issue Feb 6, 2025
Open
@yefrig yefrig added the feature-request A feature should be added or improved. label Feb 10, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
feature-request A feature should be added or improved.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@yefrig @commiterate