Comment 1 for bug 1865947

Revision history for this message
Chad Smith (chad.smith) wrote : Re: instance-data.json could contain security sensitive content

Validated current broken state if I follow this procedure:

1. Create and launch a VM using an IAM role (which exposes the 'security-credentials' metadata keys to the instance):

2. And then disable the cloud-init's logic which skips 'security-credentials' when crawling IMDS

cat > enable-security-creds.patch <<EOF
ubuntu@ip-172-31-80-198:~$ diff -urN /usr/lib/python3/dist-packages/cloudinit/ /usr/lib/python3/dist-packages/cloudinit/
--- /usr/lib/python3/dist-packages/cloudinit/ 2020-03-03 23:13:02.791518559 +0000
+++ /usr/lib/python3/dist-packages/cloudinit/ 2020-03-03 23:12:46.679999055 +0000
@@ -85,8 +85,8 @@
             if not field or not field_name:
             # Don't materialize credentials
- if field_name == 'security-credentials':
- continue
+ #if field_name == 'security-credentials':
+ # continue
             if has_children(field):
                 if field_name not in children:

scp enable-security-creds.patch ubuntu@<MY_EC2_IAM_VM>:.
ssh ubuntu@<MY_EC2_IAM_VM>
cd /
sudo patch -p1 < /home/ubuntu/enable-security-creds.path

3. Reboot/rerun cloudinit
cloud-init clean --logs --reboot

4. sudo grep redacted /run/cloud-init/instance-data*
# Note redacted content should *not* be in instance-data-sensitive.json
/run/cloud-init/instance-data-sensitive.json: "security-credentials": "redacted for non-root user"