starred/s3fs-fuse
1
0
Fork 0
mirror of https://github.com/s3fs-fuse/s3fs-fuse.git synced 2026-04-25 13:26:00 +03:00
Code Issues 305 Projects Releases 5 Packages Wiki Activity

[GH-ISSUE #1445] Support AWS IMDSv2 for role credentials #757

New issue
Closed
opened 2026-03-04 01:48:31 +03:00 by kerem · 5 comments
kerem commented 2026-03-04 01:48:31 +03:00
Owner
Copy link

Originally created by @nmeyerhans on GitHub (Oct 9, 2020).
Original GitHub issue: https://github.com/s3fs-fuse/s3fs-fuse/issues/1445

As described in AWS blog posts and documentation, the IMDSv2 is a revision of the EC2 instance metadata service that provides security benefits over the original metadata service.

The addition of IMDSv2 support to the ec2metadata command might serve as a useful example to illustrate the API changes. In the case of s3fs, if support for IMDS-compatible services outside of Amazon EC2 is desired, it may be necessary to fall back to IMDSv1 support in the event that the token API returns a 404. Alternatively, it might be reasonable to ask the user to explicitly choose to enable IMDSv2 support if it's desired.

Originally created by @nmeyerhans on GitHub (Oct 9, 2020). Original GitHub issue: https://github.com/s3fs-fuse/s3fs-fuse/issues/1445 As described in AWS [blog posts](https://aws.amazon.com/blogs/security/defense-in-depth-open-firewalls-reverse-proxies-ssrf-vulnerabilities-ec2-instance-metadata-service/) and [documentation](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/configuring-instance-metadata-service.html), the IMDSv2 is a revision of the EC2 instance metadata service that provides security benefits over the original metadata service. The [addition of IMDSv2 support to the ec2metadata command](https://github.com/canonical/cloud-utils/pull/1/commits/991719ef079222ce844b27e7ceecee176308aecf) might serve as a useful example to illustrate the API changes. In the case of s3fs, if support for IMDS-compatible services outside of Amazon EC2 is desired, it may be necessary to fall back to IMDSv1 support in the event that the token API returns a 404. Alternatively, it might be reasonable to ask the user to explicitly choose to enable IMDSv2 support if it's desired.
kerem 2026-03-04 01:48:31 +03:00
kerem commented 2026-03-04 01:48:32 +03:00
Author
Owner
Copy link

@gaul commented on GitHub (Oct 10, 2020):

@nmeyerhans This seems straightforward to implement; would you like to submit a pull request?

<!-- gh-comment-id:706510670 --> @gaul commented on GitHub (Oct 10, 2020): @nmeyerhans This seems straightforward to implement; would you like to submit a pull request?
kerem commented 2026-03-04 01:48:32 +03:00
Author
Owner
Copy link

@nmeyerhans commented on GitHub (Oct 10, 2020):

I have not started on the implementation, but I don't mind doing so. I'll try to get a PR to you in the next few days.

<!-- gh-comment-id:706586579 --> @nmeyerhans commented on GitHub (Oct 10, 2020): I have not started on the implementation, but I don't mind doing so. I'll try to get a PR to you in the next few days.
kerem commented 2026-03-04 01:48:33 +03:00
Author
Owner
Copy link

@gaul commented on GitHub (Sep 2, 2021):

@nmeyerhans Could you look at https://stackoverflow.com/questions/69031023/how-to-make-s3fs-use-imds-v2-when-mounting-s3-buckets-from-ec2-instance ?

<!-- gh-comment-id:911709633 --> @gaul commented on GitHub (Sep 2, 2021): @nmeyerhans Could you look at https://stackoverflow.com/questions/69031023/how-to-make-s3fs-use-imds-v2-when-mounting-s3-buckets-from-ec2-instance ?
kerem commented 2026-03-04 01:48:33 +03:00
Author
Owner
Copy link

@erka commented on GitHub (Sep 2, 2021):

@gaul it isn't fully supported. There is an issue with getting the ec2 role from metadata automatic. It is called without token and failed.

<!-- gh-comment-id:911766462 --> @erka commented on GitHub (Sep 2, 2021): @gaul it isn't fully supported. There is an issue with getting the ec2 role from metadata automatic. It is called without token and failed.
kerem commented 2026-03-04 01:48:33 +03:00
Author
Owner
Copy link

@nmeyerhans commented on GitHub (Sep 2, 2021):

@gaul I've posted an update on that stackoverflow post. It appears that S3fsCurl::LoadIAMRoleFromMetaData() was never updated to include tokens, so iam_role=auto doesn't work if tokens are required. Explicitly specifying a role name should work.

I can prepare a PR to fix S3fsCurl::LoadIAMRoleFromMetaData()

<!-- gh-comment-id:911854110 --> @nmeyerhans commented on GitHub (Sep 2, 2021): @gaul I've posted an update on that stackoverflow post. It appears that `S3fsCurl::LoadIAMRoleFromMetaData()` was never updated to include tokens, so `iam_role=auto` doesn't work if tokens are required. Explicitly specifying a role name should work. I can prepare a PR to fix `S3fsCurl::LoadIAMRoleFromMetaData()`
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
master
v1.97
v1.96
v1.95
v1.94
v1.93
v1.92
v1.91
v1.90
v1.89
v1.88
v1.87
v1.86
v1.85
v1.84
v1.83
v1.82
v1.81
v1.80
v1.79
v1.78
Pre-v1.78
v1.77
v1.76
v1.75
v1.74
Labels
Clear labels   
bug

   
bug

   
dataloss

   
duplicate

   
enhancement

   
feature request

   
help wanted

   
invalid

   
need info

   
performance

   
pull-request

Mirrored from GitHub Pull Request

  
question

   
question

   
testing
No labels
bug
bug
dataloss
duplicate
enhancement
feature request
help wanted
invalid
need info
performance
pull-request
question
question
testing
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
starred/s3fs-fuse#757
No description provided.