From dd4b584231890212684f503dc2c64a90eee2c2d6 Mon Sep 17 00:00:00 2001 From: Stefan - Zipkid - Goethals Date: Thu, 7 Mar 2024 15:01:48 +0100 Subject: [PATCH] Add support for AWS IMDSv2 in Availability Zone resolver This is an advised security improvement for AWS instances. https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/configuring-instance-metadata-service.html --- lib/facter/resolvers/az.rb | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/lib/facter/resolvers/az.rb b/lib/facter/resolvers/az.rb index 0f558ccb2c..535749c768 100644 --- a/lib/facter/resolvers/az.rb +++ b/lib/facter/resolvers/az.rb @@ -26,6 +26,7 @@ def read_facts(fact_name) def get_data_from(url) headers = { Metadata: 'true' } + headers['X-aws-ec2-metadata-token'] = v2_token if v2_token Facter::Util::Resolvers::Http.get_request(url, headers, { session: determine_session_timeout }) end @@ -33,6 +34,13 @@ def determine_session_timeout session_env = ENV['AZ_SESSION_TIMEOUT'] session_env ? session_env.to_i : AZ_SESSION_TIMEOUT end + + def v2_token + @v2_token ||= begin + token = Facter::Util::Resolvers::AwsToken.get + token == '' ? nil : token + end + end end end end