Disable IMDSV1 (#215)

awslabs · Nov 24, 2023 · 73517fe · 73517fe
1 parent 5fe4704
commit 73517fe
Show file tree

Hide file tree

Showing 4 changed files with 10 additions and 24 deletions.
diff --git a/Source/AwsCommonRuntimeKit/auth/credentials/CredentialsProvider.swift b/Source/AwsCommonRuntimeKit/auth/credentials/CredentialsProvider.swift
@@ -215,21 +215,20 @@ extension CredentialsProvider.Source {
     }
 
     /// Creates a credentials provider that sources credentials from ec2 instance metadata.
+    /// It will use IMDSv2 to fetch the credentials.
     ///
     /// - Parameters:
     ///   - bootstrap:  Connection bootstrap to use for any network connections made while sourcing credentials.
-    ///   - imdsVersion:  (Optional) Which version of the imds query protocol to use.
     ///   - shutdownCallback:  (Optional) shutdown callback
     /// - Returns: `CredentialsProvider`
     /// - Throws: CommonRuntimeError.crtError
     public static func `imds`(bootstrap: ClientBootstrap,
-                              imdsVersion: IMDSProtocolVersion = IMDSProtocolVersion.version2,
                               shutdownCallback: ShutdownCallback? = nil) -> Self {
         Self {
             let shutdownCallbackCore = ShutdownCallbackCore(shutdownCallback)
             var imdsOptions = aws_credentials_provider_imds_options()
             imdsOptions.bootstrap = bootstrap.rawValue
-            imdsOptions.imds_version = imdsVersion.rawValue
+            imdsOptions.ec2_metadata_v1_disabled = true
             imdsOptions.shutdown_options = shutdownCallbackCore.getRetainedCredentialProviderShutdownOptions()
             guard let provider = aws_credentials_provider_new_imds(allocator.rawValue,
                                                                    &imdsOptions)

diff --git a/Source/AwsCommonRuntimeKit/auth/imds/IMDSClient.swift b/Source/AwsCommonRuntimeKit/auth/imds/IMDSClient.swift
@@ -6,17 +6,22 @@ import AwsCAuth
 // swiftlint:disable type_body_length
 public class IMDSClient {
     let rawValue: OpaquePointer
+
+    /// Creates an IMDSClient that always uses IMDSv2
+    ///  - Parameters:
+    ///     - bootstrap: Connection bootstrap to use for any network connections
+    ///     - retryStrategy: RetryStrategy to use with the client
+    ///     - shutdownCallback:  (Optional) shutdown callback
     public init(bootstrap: ClientBootstrap,
                 retryStrategy: RetryStrategy,
-                protocolVersion: IMDSProtocolVersion = IMDSProtocolVersion.version2,
                 shutdownCallback: ShutdownCallback? = nil) throws {
         let shutdownCallbackCore = ShutdownCallbackCore(shutdownCallback)
         let shutdownOptions = shutdownCallbackCore.getRetainedIMDSClientShutdownOptions()
         var imdsOptions = aws_imds_client_options()
         imdsOptions.shutdown_options = shutdownOptions
         imdsOptions.bootstrap = bootstrap.rawValue
         imdsOptions.retry_strategy = retryStrategy.rawValue
-        imdsOptions.imds_version = protocolVersion.rawValue
+        imdsOptions.ec2_metadata_v1_disabled = true
         guard let rawValue = aws_imds_client_new(allocator.rawValue, &imdsOptions) else {
             shutdownCallbackCore.release()
             throw CommonRunTimeError.crtError(CRTError.makeFromLastError())

diff --git a/Source/AwsCommonRuntimeKit/auth/imds/IMDSProtocolVersion.swift b/Source/AwsCommonRuntimeKit/auth/imds/IMDSProtocolVersion.swift
diff --git a/aws-common-runtime/aws-c-auth b/aws-common-runtime/aws-c-auth
+5 −0		include/aws/auth/aws_imds_client.h
+5 −0		include/aws/auth/credentials.h
+34 −18		source/aws_imds_client.c
+1 −0		source/credentials_provider_imds.c
+1 −0		tests/CMakeLists.txt
+61 −9		tests/aws_imds_client_test.c