Code Monkey home page Code Monkey logo

Comments (4)

mp911de avatar mp911de commented on July 18, 2024

We don't pass on any session headers to the metadata service. To support this, the following requirements would have to be defined:

  • Who creates a session token
  • How is the token provided to the auth mechanism?
  • Who maintains TTL and how is a new token created/provided?

In a JWT/Kubernetes environment, the platform provides such details and ensures recent information stored in a file. Spring Vault is by no means authoritative of creating and maintaining yet another set of tokens so I suggest that you create your own ClientAuthentication implementation, potentially based on AwsEc2Authentication to explore provisioning and runtime operations.

With sufficient details from a broader community we can work on a path to enable session-bound usage of the identity service.

from spring-vault.

brantg avatar brantg commented on July 18, 2024

I don't think I understand the issue here - all you need to do is fetch the token from the EC2 instance itself, feed it back to the metadata call and then drop it. The token does not need to be kept beyond the call. ...or else I have greatly misunderstood how much Spring Vault needs to interact with the IMDS.

Documentation:
https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/instance-metadata-v2-how-it-works.html

Specific CLI example:

TOKEN=`curl -X PUT "http://169.254.169.254/latest/api/token" -H "X-aws-ec2-metadata-token-ttl-seconds: 21600"`
curl -H "X-aws-ec2-metadata-token: $TOKEN" http://169.254.169.254/latest/meta-data/

from spring-vault.

mp911de avatar mp911de commented on July 18, 2024

Thanks for the additional detail. My initial understanding was that AWS introduced a mechanism to secure metadata requests so that only the first process could request a session token and that no other process could obtain a new token until the other one expires.

After testing the new API a bit, I must say that we only gain additional overhead without getting actual value out of the process.

It should be possible to conditionally obtain a short-lived session token during the login.

from spring-vault.

brantg avatar brantg commented on July 18, 2024

Oh, completely agree about the zero value add... but it is what we are required to work with, so here we are.

from spring-vault.

Related Issues (20)

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.