Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

include AWS IAM role-name in ec2 plugin data #1524

Closed
kcbraunschweig opened this issue Oct 5, 2020 · 0 comments
Closed

include AWS IAM role-name in ec2 plugin data #1524

kcbraunschweig opened this issue Oct 5, 2020 · 0 comments

Comments

@kcbraunschweig
Copy link
Contributor

kcbraunschweig commented Oct 5, 2020
edited
Loading

Describe the Enhancement

Currently the ohai ec2 plugin reads from the AWS metadata service but strips out all IAM data to prevent leaking security credentials:
https://github.com/chef/ohai/blob/master/lib/ohai/plugins/ec2.rb#L123-L127

We should modify this slightly to still include the IAM role-name which is part of the metadata at:
iam/security-credentials/role-name
see: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/instancedata-data-categories.html
Don't include the data returned in the document under role-name as that includes actually includes credentials, but the name from the URL path should be fine.

Describe the Need

The role assigned to the host provides its identity and is likely to be used to make decisions about how to configure it.

Current Alternative

Currently this could be found in recipe code by either making http calls to the metadata service during the run and parsing the response, or including the ruby aws sdk as a library can calling STS GetCallerIdentity which includes role information.

Can We Help You Implement This?

This is a simple modification to the scope of the filtering based on the data already present. Creating an issue in case someone gets to it before me.
kcbraunschweig added a commit to kcbraunschweig/ohai that referenced this issue Oct 7, 2020
@kcbraunschweig
Include IAM role in ec2 data (issue chef#1524)
da6f717 
Signed-off-by: KC Braunschweig <[email protected]>
kcbraunschweig added a commit to kcbraunschweig/ohai that referenced this issue Oct 7, 2020
@kcbraunschweig
Include IAM role in ec2 data (issue chef#1524)
ae4947f 
Signed-off-by: KC Braunschweig <[email protected]>
kcbraunschweig added a commit to kcbraunschweig/ohai that referenced this issue Oct 8, 2020
@kcbraunschweig
Include IAM role in ec2 data (issue chef#1524)
a32e193 
Signed-off-by: KC Braunschweig <[email protected]>
@kcbraunschweig kcbraunschweig mentioned this issue Oct 8, 2020
Merged
7 tasks
kcbraunschweig added a commit to kcbraunschweig/ohai that referenced this issue Oct 8, 2020
@kcbraunschweig
Include IAM role and info in ec2 data (issue chef#1524)
369bfb7 
Signed-off-by: KC Braunschweig <[email protected]>
kcbraunschweig added a commit to kcbraunschweig/ohai that referenced this issue Oct 8, 2020
@kcbraunschweig @phiggins
Include IAM role and info in ec2 data (issue chef#1524)
0c11a79 
Signed-off-by: KC Braunschweig <[email protected]>

Co-authored-by: pete higgins <[email protected]>
tas50 added a commit that referenced this issue Oct 14, 2020
@tas50
Merge pull request #1525 from kcbraunschweig/issue1524
75d4610 
Include IAM role in ec2 data (issue #1524)
@tas50 tas50 closed this as completed Oct 14, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@kcbraunschweig @tas50