cloud-init

Bug #1638312
Comment #12

Comment 12 for bug 1638312

Revision history for this message

Scott Moser (smoser) wrote on 2017-03-08:

#12

In order to see the security credentials, you must launch an instance with
iam role attached (--iam-instance-profile). Other wise they do not show up in the metadata service.

Ubuntu cloud-init did not actually show this bug because it read and stored
a version of the metadata service (2009-04-04) that does not have the iam/
credentials.

This can be verified simply by
$ sudo python3 -c 'from cloudinit.stages import _pkl_load as pl; import pprint; pprint.pprint(pl("/var/lib/cloud/instance/obj.pkl").metadata)'
{'ami-id': 'ami-78b7166e',
'ami-launch-index': '0',
'ami-manifest-path': '(unknown)',
'block-device-mapping': {'ami': '/dev/sda1', 'root': '/dev/sda1'},
'hostname': 'ip-10-0-0-160',
'instance-action': 'none',
'instance-id': 'i-00e90430c5dbe321c',
'instance-type': 't2.micro',
'local-hostname': 'ip-10-0-0-160',
'local-ipv4': '10.0.0.160',
'placement': {'availability-zone': 'us-east-1b'},
'profile': 'default-hvm',
'public-hostname': b'',
'public-ipv4': '54.86.100.172',
'public-keys': {'brickies': ['ssh-rsa '
'AAAAB3NzaC1yc2EAAAABIwAAAQEA3I7VUf2l5gSn5uavROsc5HRDpZdQueUq5ozemNSj8T7enqKHOEaFoU2VoPgGEWC9RyzSQVeyD6s7APMcE82EtmW4skVEgEGSbDc1pvxzxtchBj78hJP6Cf5TCMFSXw+Fz5rF1dR23QDbN1mkHs7adr8GW4kSWqU7Q7NDwfIrJJtO7Hi42GyXtvEONHbiRPOe8stqUly7MvUoN+5kfjBM8Qqpfl2+FNhTYWpMfYdPUnE7u536WqzFmsaqJctz3gBxH9Ex7dFtrxR4qiqEr9Qtlu3xGn7Bw07/+i1D+ey3ONkZLN+LQ714cgj8fRS4Hj29SCmXp5Kt5/82cD/VN3NtHw== '
'brickies']},
'reservation-id': 'r-07f18d71dc1ebd0ab',
'security-groups': 'wide-open'}

However, the get_instance_metadata() function would show the credentials.

$ python3 -c 'from cloudinit import ec2_utils; print(ec2_utils.get_instance_metadata("latest")["iam"])'
{'info': {'InstanceProfileArn': 'arn:aws:iam::950047163771:instance-profile/smtest-ec2-ro', 'InstanceProfileId': 'AIPAJ7VG3LHE4JOYDGNG6', 'Code': 'Success', 'LastUpdated': '2017-03-08T19:14:59Z'}, 'security-credentials': {'smtest-ec2-ro': {'Token': 'FQoDY...Bxgu=', 'AccessKeyId': 'XXXXXXXXXXXXXXXXXXXX', 'Expiration': '2017-03-09T01:43:31Z', 'Code': 'Success', 'SecretAccessKey': 'xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx', 'Type': 'AWS-HMAC', 'LastUpdated': '2017-03-08T19:14:40Z'}}}

In order to see the security credentials, you must launch an instance with
iam role attached (--iam-instance-profile).  Other wise they do not show up in the metadata service.

Ubuntu cloud-init did not actually show this bug because it read and stored
a version of the metadata service (2009-04-04) that does not have the iam/
credentials.

This can be verified simply by
$ sudo python3 -c 'from cloudinit.stages import _pkl_load as pl; import pprint; pprint.pprint(pl("/var/lib/cloud/instance/obj.pkl").metadata)'
{'ami-id': 'ami-78b7166e',
 'ami-launch-index': '0',
 'ami-manifest-path': '(unknown)',
 'block-device-mapping': {'ami': '/dev/sda1', 'root': '/dev/sda1'},
 'hostname': 'ip-10-0-0-160',
 'instance-action': 'none',
 'instance-id': 'i-00e90430c5dbe321c',
 'instance-type': 't2.micro',
 'local-hostname': 'ip-10-0-0-160',
 'local-ipv4': '10.0.0.160',
 'placement': {'availability-zone': 'us-east-1b'},
 'profile': 'default-hvm',
 'public-hostname': b'',
 'public-ipv4': '54.86.100.172',
 'public-keys': {'brickies': ['ssh-rsa '
                              'AAAAB3NzaC1yc2EAAAABIwAAAQEA3I7VUf2l5gSn5uavROsc5HRDpZdQueUq5ozemNSj8T7enqKHOEaFoU2VoPgGEWC9RyzSQVeyD6s7APMcE82EtmW4skVEgEGSbDc1pvxzxtchBj78hJP6Cf5TCMFSXw+Fz5rF1dR23QDbN1mkHs7adr8GW4kSWqU7Q7NDwfIrJJtO7Hi42GyXtvEONHbiRPOe8stqUly7MvUoN+5kfjBM8Qqpfl2+FNhTYWpMfYdPUnE7u536WqzFmsaqJctz3gBxH9Ex7dFtrxR4qiqEr9Qtlu3xGn7Bw07/+i1D+ey3ONkZLN+LQ714cgj8fRS4Hj29SCmXp5Kt5/82cD/VN3NtHw== '
                              'brickies']},
 'reservation-id': 'r-07f18d71dc1ebd0ab',
 'security-groups': 'wide-open'}

However, the get_instance_metadata() function would show the credentials.