Switch AWS data source to IMDSv2

[cburgmer]

AWS' instance metadata service has received a more secure way of accessing it (version 2 called IMDSv2): https://aws.amazon.com/blogs/security/defense-in-depth-open-firewalls-reverse-proxies-ssrf-vulnerabilities-ec2-instance-metadata-service/

Looking at https://github.com/hairyhenderson/gomplate/blob/master/aws/ec2meta.go we are probably still calling it with the previous version.

As both versions are supported by AWS the migration plan could be as easy as switching to IMDSv2 instead, which means fetching a shortlived token first.

[hairyhenderson]

we are probably still calling it with the previous version

Yup, definitely still using v1 😉

Looking at aws/aws-sdk-go#2980 it seems there may be some extra latency when IMDSv2 isn't available. I've had some issues recently with IMDS/IMDSv2 - for example in Kubernetes clusters sometimes tools like KIAM are used, which intercept the IMDS calls and redirect them to a central server. IMDSv2 support was only added to KIAM in March, and so it's likely that some users of this tool have not yet upgraded.

Either way, I think just switching to IMDSv2 as you say is probably the best option. There's a possibility it'll introduce latency, but long-term it's the right thing to do.

@cburgmer Are you interested in submitting a PR for this?

[cburgmer]

I referenced the issue here on the company issue tracker. When this get's priority I'm sure this can be done.

[hairyhenderson]

@cburgmer thanks!

[angrastuti]

Is there any timeline when this issue will be picked up to support IMDSv2 auth for AWS instances ?

[hairyhenderson]

@angrastuti not as far as I'm aware... In gomplate v4 however I will switch to using go-fsimpl as the back-end for datasources, and so the IMDSv1/v2 support will need to be there. I'm not certain what version of IMDS ends up being used in go-fsimpl's blobfs filesystem - there may need to be some work done there to support it.