[PR #1462] [MERGED] Implement AWS IMDSv2 support #1996

New issue

Closed

opened 2026-03-04 02:03:11 +03:00 by kerem · 0 comments

kerem commented

2026-03-04 02:03:11 +03:00

Owner

📋 Pull Request Information

Original PR: https://github.com/s3fs-fuse/s3fs-fuse/pull/1462
Author: @nmeyerhans
Created: 10/29/2020
Status: ✅ Merged
Merged: 11/7/2020
Merged by: @gaul

Base: master ← Head: imdsv2

📝 Commits (2)

4fe530b Implement AWS IMDSv2 support
a2ab4eb fixup! Implement AWS IMDSv2 support

📊 Changes

5 files changed (+104 additions, -0 deletions)

View changed files

📝 doc/man/s3fs.1 (+6 -0)
📝 src/curl.cpp (+76 -0)
📝 src/curl.h (+9 -0)
📝 src/s3fs.cpp (+6 -0)
📝 src/s3fs_help.cpp (+7 -0)

📄 Description

Relevant Issue (if applicable)

#1445

Details

AWS IMDSv2 is a session oriented method for retrieving instance metadata,
including IAM credentials, in Amazon EC2. It is enabled by default in
non-enforcing mode in AWS (meaning it retains backwards compatibility with
existing IMDSv1 clients), but can be switched to enforcing mode, in which
clients are required to return API tokens with requests.

With this change, we implement support for IMDSv2 and enable it by default when
IAM roles are our source for authentication credentials. In the event that
s3fs is running in cloud environment offering an IMDSv1-compatible API, we
support graceful fallback to that mode. It can also be selected explicitly via
the imdsv1only mount option.

More details on IMDSv2 are available at
https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/instancedata-data-retrieval.html
and
https://aws.amazon.com/blogs/security/defense-in-depth-open-firewalls-reverse-proxies-ssrf-vulnerabilities-ec2-instance-metadata-service/

_{🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.}

## 📋 Pull Request Information **Original PR:** https://github.com/s3fs-fuse/s3fs-fuse/pull/1462 **Author:** [@nmeyerhans](https://github.com/nmeyerhans) **Created:** 10/29/2020 **Status:** ✅ Merged **Merged:** 11/7/2020 **Merged by:** [@gaul](https://github.com/gaul) **Base:** `master` ← **Head:** `imdsv2` --- ### 📝 Commits (2) - [`4fe530b`](https://github.com/s3fs-fuse/s3fs-fuse/commit/4fe530b83e6b4ea23a9698b757d29e792945ff04) Implement AWS IMDSv2 support - [`a2ab4eb`](https://github.com/s3fs-fuse/s3fs-fuse/commit/a2ab4ebbf00551e23db746b8f44d5f381d7c54f1) fixup! Implement AWS IMDSv2 support ### 📊 Changes **5 files changed** (+104 additions, -0 deletions) <details> <summary>View changed files</summary> 📝 `doc/man/s3fs.1` (+6 -0) 📝 `src/curl.cpp` (+76 -0) 📝 `src/curl.h` (+9 -0) 📝 `src/s3fs.cpp` (+6 -0) 📝 `src/s3fs_help.cpp` (+7 -0) </details> ### 📄 Description ### Relevant Issue (if applicable) #1445 ### Details AWS IMDSv2 is a session oriented method for retrieving instance metadata, including IAM credentials, in Amazon EC2. It is enabled by default in non-enforcing mode in AWS (meaning it retains backwards compatibility with existing IMDSv1 clients), but can be switched to enforcing mode, in which clients are required to return API tokens with requests. With this change, we implement support for IMDSv2 and enable it by default when IAM roles are our source for authentication credentials. In the event that s3fs is running in cloud environment offering an IMDSv1-compatible API, we support graceful fallback to that mode. It can also be selected explicitly via the imdsv1only mount option. More details on IMDSv2 are available at https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/instancedata-data-retrieval.html and https://aws.amazon.com/blogs/security/defense-in-depth-open-firewalls-reverse-proxies-ssrf-vulnerabilities-ec2-instance-metadata-service/ --- <sub>🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.</sub>