Feature request: IMDSv2 support for fetching AWS User data

[tvanhl]

Hi,

The distribution is wanted to be kept minimal, but I would be suggesting adding Instance Metadata Service version 2 (IMDSv2) support for ucd-data-fetch.

Motivation

If IMDSv2 cannot be enabled, it causes a critical / high open security recommandation "EC2 instances should use Instance Metadata Service Version 2 (IMDSv2)" on AWS. At some point, this maybe needs to be implemented anyway (if e.g. IMDSv1 would be deprecated).

Current behavior

When I set instance metadata option for IMDSv2 from "Optional" to "Required", it seems that the systemd service ucd@aws.service fails with an error:

systemd[1]: Starting ucd@aws.service...
ucd-data-fetch[155]: parse_headers(): Network is unreachable
systemd[1]: ucd@aws.service: Main process exited, code=exited, status=1/FAILURE
systemd[1]: ucd@aws.service: Failed with result 'exit-code'.
systemd[1]: Failed to start ucd@aws.service.

Suggestion

Support for IMDSv2 could be the default behavior for the ucd-data-fetch in case of AWS. As with a quick testing it looks for me that also IMDSv1 works even if the token (from http://169.254.169.254/latest/api/token) is provided with the instance metadata request.

--

Thank you.

[tvanhl]

Hi @ahkok @bwarden,
Would you have a chance to have a quick look at this ticket?