Add support for IMDSv2 for AWS instance metadata calls #24592
Comments
sc0ttbeardsley
added
enhancement
|
/assign |
|
We would like to address this post #11816 (starting Jan 23) to remove libcurl. Let us know if that timeline sounds ok. We have the code change that does IMDSv2 using curl, but not upstream that change yet since libcurl is planned to be deprecated soon. Please feel free to ping me on Envoy slack (suniltheta@) for further clarifications. |
|
thanks @suniltheta that works for me |
mattklein123
added
help wanted
|
Hi @mattklein123, happy new year! I am still working on removing libcurl usage. Got the http async client change to work with lambda & request signing filter extensions but I am blocked on the final part to get that change work with IAM gRPC plugin, which I am going to work on next. Meanwhile, I though it is better to get this IMDSv2 support #24747 since this is a security feature and the change to remove libcurl might take some time to stabilize and be bug free. I would like to get your review on the above PR. Thanks. |
Title: Add support for IMDSv2 for AWS instance metadata calls
Description:
Currently the AWS credentials provider uses IMDSv1 (a request/response method) but IMDSv2 (a session-oriented method) is substantially more secure, as it prevents SSRF attacks on the metadata service.
Relevant Links:
https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/configuring-instance-metadata-service.html
cc @JuniorHsu @PeterL328 @fishcakez
The text was updated successfully, but these errors were encountered: