Use IMDSv2 for AWS metadata (#42)

* Use IMDSv2 for AWS metadata * Use IMDSv2 for AWS metadata * Fix formatting
skyscrapers · Oct 6, 2023 · f8d396c · f8d396c
1 parent e2ef430
commit f8d396c
Show file tree

Hide file tree

Showing 2 changed files with 15 additions and 5 deletions.
diff --git a/teleport-bootstrap-script/templates/metadata.tpl b/teleport-bootstrap-script/templates/metadata.tpl
@@ -3,8 +3,9 @@
 set -e
 
 get_private_ip () {
-  PRIVATE_IP="$(curl -s http://169.254.169.254/latest/meta-data/local-ipv4)"
-  if [ $? != 0 ]; then
+  PRIVATE_IP="$(curl -s -H "X-aws-ec2-metadata-token: $TOKEN" http://169.254.169.254/latest/meta-data/local-ipv4)"
+
+  if [ -z $PRIVATE_IP ]; then
     # hostname -I returns all IP addresses available in the server, grep will return the first private IP found
     PRIVATE_IP="$(hostname -I | tr ' ' '\n' | grep -m 1 -E '^(192\.168|10\.|172\.1[6789]\.|172\.2[0-9]\.|172\.3[01]\.)')"
   fi
@@ -15,11 +16,14 @@ get_private_ip () {
 
 # Config /etc/teleport
 
+## Get token for IMDSv2
+TOKEN=$(curl -s -X PUT "http://169.254.169.254/latest/api/token" -H "X-aws-ec2-metadata-token-ttl-seconds: 30")
+
 ## Get private IP for advertise_ip
 echo "ADVERTISE_IP=$(get_private_ip)" >> /etc/teleport
 
 ## Get instance ID (if possible)
-${include_instance_id ? "export INSTANCE_ID=-$(curl -s http://169.254.169.254/latest/meta-data/instance-id)" : ""}
+${include_instance_id ? "export INSTANCE_ID=-$(curl -s -H \"X-aws-ec2-metadata-token: $TOKEN\" http://169.254.169.254/latest/meta-data/instance-id)" : ""}
 
 ## Set the rest of the config
 echo "AUTH_TOKEN=${auth_token}" >> /etc/teleport

diff --git a/teleport-bootstrap-script/templates/teleport.yaml.tpl b/teleport-bootstrap-script/templates/teleport.yaml.tpl
@@ -7,10 +7,16 @@ ssh_service:
 
   commands:
     - name: teleport_version
-      command: ["/bin/bash", "-c", "/usr/local/bin/teleport version | cut -d' ' -f2"]
+      command:
+        ["/bin/bash", "-c", "/usr/local/bin/teleport version | cut -d' ' -f2"]
       period: 1h0m0s
     - name: instance_type
-      command: ["/usr/bin/curl", "-s", "http://169.254.169.254/latest/meta-data/instance-type"]
+      command:
+        [
+          "/bin/bash",
+          "-c",
+          'TOKEN=$(curl -s -X PUT "http://169.254.169.254/latest/api/token" -H "X-aws-ec2-metadata-token-ttl-seconds: 30") && curl -s -H "X-aws-ec2-metadata-token: $TOKEN" http://169.254.169.254/latest/meta-data/instance-type',
+        ]
       period: 1h0m0s
 
   permit_user_env: false