fix IAM role retrieval from IMDSv2

AWS IMDSv2 support was added in #1462, but the implementation did not cover the addional IMDS access that occurs with the iam_role=auto configuration. This change implements IMDSv2 support for the IMDS call to determine the instance's role name. See also https://stackoverflow.com/questions/69031023/how-to-make-s3fs-use-imds-v2-when-mounting-s3-buckets-from-ec2-instance
2024-06-07 11:30:49 +00:00 · 2021-09-02 09:40:35 -07:00 · 2021-09-02 09:40:35 -07:00 · 9d1552a54e
commit 9d1552a54e
parent 47ebfcc60a
1 changed files with 31 additions and 1 deletions
--- a/src/curl.cpp
+++ b/src/curl.cpp
@ -3188,11 +3188,41 @@ bool S3fsCurl::LoadIAMRoleFromMetaData()
    }

    // url
-    url             = std::string(S3fsCurl::IAM_cred_url);
+    if(is_ecs){
+        const char *env = std::getenv(ECS_IAM_ENV_VAR);
+        if(env == NULL){
+            S3FS_PRN_ERR("%s is not set.", ECS_IAM_ENV_VAR);
+            return -EIO;
+        }
+        url = std::string(S3fsCurl::IAM_cred_url) + env;
+    }else{
+        if(S3fsCurl::IAM_api_version > 1){
+            int result = GetIAMv2ApiToken();
+            if(-ENOENT == result){
+                // If we get a 404 back when requesting the token service,
+                // then it's highly likely we're running in an environment
+                // that doesn't support the AWS IMDSv2 API, so we'll skip
+                // the token retrieval in the future.
+                SetIMDSVersion(1);
+            }else if(result != 0){
+                // If we get an unexpected error when retrieving the API
+                // token, log it but continue.  Requirement for including
+                // an API token with the metadata request may or may not
+                // be enforced, so we should not abort here.
+                S3FS_PRN_ERR("AWS IMDSv2 token retrieval failed: %d", result);
+            }
+        }
+
+        url = std::string(S3fsCurl::IAM_cred_url);
+    }
    requestHeaders  = NULL;
    responseHeaders.clear();
    bodydata.Clear();

+    if(S3fsCurl::IAM_api_version > 1){
+        requestHeaders = curl_slist_sort_insert(requestHeaders, S3fsCurl::IAMv2_token_hdr.c_str(), S3fsCurl::IAMv2_api_token.c_str());
+    }
+
    if(CURLE_OK != curl_easy_setopt(hCurl, CURLOPT_URL, url.c_str())){
        return false;
    }