IMDSv2 in yum (Amazon Linux 2)



We're trying to track down and eliminate usage of the old instance metadata service (IMDSv1) on our instances so that we can set the metadata options to require HTTP tokens going forward. Using newer AMIs or updating packages like cloud-init takes care of most of it, but there was still one stubborn case coming from yum.

We have installed yum-3.4.3-158.amzn2.0.4.noarch which seems to be the latest available.
In /usr/lib/python2.7/site-packages/yum/, in function _get_instance_info it is requesting the INSTANCE_IDENTITY_URI without first generating a token and providing the X-aws-ec2-metadata-token header.

Does anyone know if there is an updated version that supports IMDSv2? Or somewhere I could contribute a patch? Or any other workaround?


asked 2 years ago96 views
3 Answers
Accepted Answer

Hi chadawagner, thanks for the report.

Switching your instances to IMDSv2-only will not break yum, since this is an optional code path that has a fallback.

If you want, you can disable this code by setting report_instanceid=no in /etc/yum.repos.d/amzn2-core.repo, which should cause yum to avoid making requests without tokens. We'll work on an update to yum to fix this.

Thanks for using Amazon Linux!

answered 2 years ago

Thanks! I won't worry about it then, good to know. I'll turn off the instance reporting so that I can continue to monitor the MetadataNoToken metric in CloudWatch.

answered 2 years ago

Unfortunately the "report_instanceid=no" setting doesn't seem to be disabling it. I'll go ahead and patch my local file to disable the tokenless queries.

Edit: oops, I had missed the amzn2-graphics.repo config file on GPU instance. That ought to do it...

Edited by: chadawagner on Aug 12, 2020 10:05 PM

answered 2 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions