Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add log level check to gate IMDSv1 fallback warning #5131

Merged
merged 4 commits into from
Jan 5, 2024
Merged

Add log level check to gate IMDSv1 fallback warning #5131

merged 4 commits into from
Jan 5, 2024

Conversation

RanVaknin
Copy link
Contributor

@RanVaknin RanVaknin commented Jan 4, 2024
edited
Loading

Description
Addresses #5116
This PR updates the logging behavior in the EC2Metadata token provider (token_provider.go). It modifies the conditions under which the warning message about falling back to IMDSv1 is logged.

Changes
The warning "WARN: failed to get session token, falling back to IMDSv1" in the fetchTokenHandler method is now conditioned on the LogLevel being set to LogDebugWithDeprecated.
This update prevents the warning from being logged when the LogLevel is configured to suppress such messages.

Testing
This testing setup demonstrates the modified behavior of the EC2Metadata token provider, using a custom HTTP transport to simulate conditions that trigger a fallback to IMDSv1. The test verifies that the warning message is conditionally logged based on the LogLevel setting, ensuring it aligns with the configured log suppression.

package main

import (
	"github.com/aws/aws-sdk-go/aws"
	"github.com/aws/aws-sdk-go/aws/credentials"
	"github.com/aws/aws-sdk-go/aws/credentials/ec2rolecreds"
	"github.com/aws/aws-sdk-go/aws/ec2metadata"
	"github.com/aws/aws-sdk-go/aws/session"
	"net/http"
)

// mock a response that would trigger IMDSv1 fallback
type CustomTransport struct {
	Transport http.RoundTripper
}

func (t *CustomTransport) RoundTrip(req *http.Request) (*http.Response, error) {
	return &http.Response{
		StatusCode: http.StatusForbidden,
		Body:       http.NoBody,
		Header:     make(http.Header),
	}, nil
}

func main() {
	sess, _ := session.NewSession(&aws.Config{
		Region:   aws.String("us-east-1"),
		//LogLevel: aws.LogLevel(aws.LogDebugWithDeprecated), // would raise the warning
		LogLevel: aws.LogLevel(aws.LogOff), // would not raise this warning
		HTTPClient: &http.Client{
			Transport: &CustomTransport{Transport: http.DefaultTransport},
		},
	})
	ec2MetaClient := ec2metadata.New(sess, &aws.Config{})

	creds := credentials.NewCredentials(&ec2rolecreds.EC2RoleProvider{
		Client: ec2MetaClient,
	})

	_, _ = creds.Get()
}

@RanVaknin RanVaknin mentioned this pull request Jan 4, 2024
Closed
wty-Bryant
wty-Bryant requested changes Jan 4, 2024
View reviewed changes
CHANGELOG_PENDING.md Outdated Show resolved Hide resolved
@lucix-aws lucix-aws changed the title Add log level check to suprass warning Add log level check to gate IMDSv1 fallback warning Jan 4, 2024
@RanVaknin RanVaknin merged commit c40776d into aws:main Jan 5, 2024
9 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@lucix-aws lucix-aws lucix-aws approved these changes

@wty-Bryant wty-Bryant wty-Bryant approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@RanVaknin @wty-Bryant @lucix-aws