From 8f10d0eb1e33d38ab6e89015a903620c54edd7c1 Mon Sep 17 00:00:00 2001 From: Oyvind Albrigtsen Date: Fri, 13 Nov 2020 16:36:20 +0100 Subject: [PATCH] AWS agents: add support for IMDSv2 --- heartbeat/aws-vpc-move-ip | 5 +++-- heartbeat/aws-vpc-route53.in | 3 ++- heartbeat/awseip | 9 +++++---- heartbeat/awsvip | 7 ++++--- 4 files changed, 14 insertions(+), 10 deletions(-) diff --git a/heartbeat/aws-vpc-move-ip b/heartbeat/aws-vpc-move-ip index 72a89ecb1..cbb629b00 100755 --- a/heartbeat/aws-vpc-move-ip +++ b/heartbeat/aws-vpc-move-ip @@ -215,7 +215,8 @@ ec2ip_validate() { return $OCF_ERR_CONFIGURED fi - EC2_INSTANCE_ID="$(curl -s http://169.254.169.254/latest/meta-data/instance-id)" + TOKEN=$(curl -X PUT "http://169.254.169.254/latest/api/token" -H "X-aws-ec2-metadata-token-ttl-seconds: 21600") + EC2_INSTANCE_ID=$(curl -s http://169.254.169.254/latest/meta-data/instance-id -H "X-aws-ec2-metadata-token: $TOKEN") if [ -z "${EC2_INSTANCE_ID}" ]; then ocf_exit_reason "Instance ID not found. Is this a EC2 instance?" @@ -329,7 +330,7 @@ ec2ip_get_instance_eni() { fi ocf_log debug "MAC address associated with interface ${OCF_RESKEY_interface}: ${MAC_ADDR}" - cmd="curl -s http://169.254.169.254/latest/meta-data/network/interfaces/macs/${MAC_ADDR}/interface-id" + cmd="curl -s http://169.254.169.254/latest/meta-data/network/interfaces/macs/${MAC_ADDR}/interface-id -H \"X-aws-ec2-metadata-token: $TOKEN\"" ocf_log debug "executing command: $cmd" EC2_NETWORK_INTERFACE_ID="$(eval $cmd)" rc=$? diff --git a/heartbeat/aws-vpc-route53.in b/heartbeat/aws-vpc-route53.in index b06b93726..4fb17019b 100644 --- a/heartbeat/aws-vpc-route53.in +++ b/heartbeat/aws-vpc-route53.in @@ -347,7 +347,8 @@ r53_monitor() { _get_ip() { case $OCF_RESKEY_ip in local|public) - IPADDRESS="$(curl -s http://169.254.169.254/latest/meta-data/${OCF_RESKEY_ip}-ipv4)";; + TOKEN=$(curl -X PUT "http://169.254.169.254/latest/api/token" -H "X-aws-ec2-metadata-token-ttl-seconds: 21600") + IPADDRESS=$(curl -s http://169.254.169.254/latest/meta-data/${OCF_RESKEY_ip}-ipv4 -H "X-aws-ec2-metadata-token: $TOKEN");; *.*.*.*) IPADDRESS="${OCF_RESKEY_ip}";; esac diff --git a/heartbeat/awseip b/heartbeat/awseip index 445a03666..de1967774 100755 --- a/heartbeat/awseip +++ b/heartbeat/awseip @@ -149,12 +149,12 @@ awseip_start() { awseip_monitor && return $OCF_SUCCESS if [ -n "${PRIVATE_IP_ADDRESS}" ]; then - NETWORK_INTERFACES_MACS="$(curl -s http://169.254.169.254/latest/meta-data/network/interfaces/macs/)" + NETWORK_INTERFACES_MACS=$(curl -s http://169.254.169.254/latest/meta-data/network/interfaces/macs/ -H "X-aws-ec2-metadata-token: $TOKEN") for MAC in ${NETWORK_INTERFACES_MACS}; do - curl -s http://169.254.169.254/latest/meta-data/network/interfaces/macs/${MAC}/local-ipv4s | + curl -s http://169.254.169.254/latest/meta-data/network/interfaces/macs/${MAC}/local-ipv4s -H "X-aws-ec2-metadata-token: $TOKEN" | grep -q "^${PRIVATE_IP_ADDRESS}$" if [ $? -eq 0 ]; then - NETWORK_ID="$(curl -s http://169.254.169.254/latest/meta-data/network/interfaces/macs/${MAC}/interface-id)" + NETWORK_ID=$(curl -s http://169.254.169.254/latest/meta-data/network/interfaces/macs/${MAC}/interface-id -H "X-aws-ec2-metadata-token: $TOKEN") fi done $AWSCLI --profile $OCF_RESKEY_profile ec2 associate-address \ @@ -244,7 +244,8 @@ AWSCLI="${OCF_RESKEY_awscli}" ELASTIC_IP="${OCF_RESKEY_elastic_ip}" ALLOCATION_ID="${OCF_RESKEY_allocation_id}" PRIVATE_IP_ADDRESS="${OCF_RESKEY_private_ip_address}" -INSTANCE_ID="$(curl -s http://169.254.169.254/latest/meta-data/instance-id)" +TOKEN=$(curl -X PUT "http://169.254.169.254/latest/api/token" -H "X-aws-ec2-metadata-token-ttl-seconds: 21600") +INSTANCE_ID=$(curl -s http://169.254.169.254/latest/meta-data/instance-id -H "X-aws-ec2-metadata-token: $TOKEN") case $__OCF_ACTION in start) diff --git a/heartbeat/awsvip b/heartbeat/awsvip index 3eb31e6ae..8050107e8 100755 --- a/heartbeat/awsvip +++ b/heartbeat/awsvip @@ -206,9 +206,10 @@ esac AWSCLI="${OCF_RESKEY_awscli}" SECONDARY_PRIVATE_IP="${OCF_RESKEY_secondary_private_ip}" -INSTANCE_ID="$(curl -s http://169.254.169.254/latest/meta-data/instance-id)" -MAC_ADDRESS="$(curl -s http://169.254.169.254/latest/meta-data/mac)" -NETWORK_ID="$(curl -s http://169.254.169.254/latest/meta-data/network/interfaces/macs/${MAC_ADDRESS}/interface-id)" +TOKEN=$(curl -X PUT "http://169.254.169.254/latest/api/token" -H "X-aws-ec2-metadata-token-ttl-seconds: 21600") +INSTANCE_ID=$(curl -s http://169.254.169.254/latest/meta-data/instance-id -H "X-aws-ec2-metadata-token: $TOKEN") +MAC_ADDRESS=$(curl -s http://169.254.169.254/latest/meta-data/mac -H "X-aws-ec2-metadata-token: $TOKEN") +NETWORK_ID=$(curl -s http://169.254.169.254/latest/meta-data/network/interfaces/macs/${MAC_ADDRESS}/interface-id -H "X-aws-ec2-metadata-token: $TOKEN") case $__OCF_ACTION in start)