fix: signed IMDS workflow (#2964)

Author: trivikr

.changes/next-release/bugfix-IMDS-d2f75b85.json

@@ -0,0 +1,5 @@
+{
+  "type": "bugfix",
+  "category": "IMDS",
+  "description": "Signed IMDS workflow"
+}

lib/metadata_service.js

@@ -37,6 +37,11 @@ AWS.MetadataService = inherit({
    */
   httpOptions: { timeout: 0 },
 
+  /**
+   * when enabled, metadata service will not fetch token
+   */
+  disableFetchToken: false,
+
   /**
    * Creates a new MetadataService object with a given set of options.
    *
@@ -60,21 +65,36 @@ AWS.MetadataService = inherit({
    * Sends a request to the instance metadata service for a given resource.
    *
    * @param path [String] the path of the resource to get
+   *
+   * @param options [map] an optional map used to make request
+   *
+   *   * **method** (String) — HTTP request method
+   *
+   *   * **headers** (map<String,String>) &mdash; a map of response header keys and their respective values
+   *
    * @callback callback function(err, data)
    *   Called when a response is available from the service.
    *   @param err [Error, null] if an error occurred, this value will be set
    *   @param data [String, null] if the request was successful, the body of
    *     the response
    */
-  request: function request(path, callback) {
+  request: function request(path, options, callback) {
+    if (arguments.length === 2) {
+      callback = options;
+      options = {};
+    }
+
     if (process.env[AWS.util.imdsDisabledEnv]) {
       callback(new Error('EC2 Instance Metadata Service access disabled'));
       return;
     }
 
     path = path || '/';
     var httpRequest = new AWS.HttpRequest('http://' + this.host + path);
-    httpRequest.method = 'GET';
+    httpRequest.method = options.method || 'GET';
+    if (options.headers) {
+      httpRequest.headers = options.headers;
+    }
     AWS.util.handleRequestWithRetries(httpRequest, this, callback);
   },
 
@@ -83,6 +103,72 @@ AWS.MetadataService = inherit({
   */
   loadCredentialsCallbacks: [],
 
+  /**
+   * Fetches metadata token used for getting credentials
+   *
+   * @api private
+   * @callback callback function(err, token)
+   *   Called when token is loaded from the resource
+   */
+  fetchMetadataToken: function fetchMetadataToken(callback) {
+    var self = this;
+    var tokenFetchPath = '/latest/api/token';
+    self.request(
+      tokenFetchPath,
+      {
+        'method': 'PUT',
+        'headers': {
+          'x-aws-ec2-metadata-token-ttl-seconds': '21600'
+        }
+      },
+      callback
+    );
+  },
+
+  /**
+   * Fetches credentials
+   *
+   * @api private
+   * @callback cb function(err, creds)
+   *   Called when credentials are loaded from the resource
+   */
+  fetchCredentials: function fetchCredentials(options, cb) {
+    var self = this;
+    var basePath = '/latest/meta-data/iam/security-credentials/';
+
+    self.request(basePath, options, function (err, roleName) {
+      if (err) {
+        self.disableFetchToken = !(err.statusCode === 401);
+        cb(AWS.util.error(
+          err,
+          {
+            message: 'EC2 Metadata roleName request returned error'
+          }
+        ));
+        return;
+      }
+      roleName = roleName.split('\n')[0]; // grab first (and only) role
+      self.request(basePath + roleName, options, function (credErr, credData) {
+        if (credErr) {
+          self.disableFetchToken = !(credErr.statusCode === 401);
+          cb(AWS.util.error(
+            credErr,
+            {
+              message: 'EC2 Metadata creds request returned error'
+            }
+          ));
+          return;
+        }
+        try {
+          var credentials = JSON.parse(credData);
+          cb(null, credentials);
+        } catch (parseError) {
+          cb(parseError);
+        }
+      });
+    });
+  },
+
   /**
    * Loads a set of credentials stored in the instance metadata service
    *
@@ -95,7 +181,6 @@ AWS.MetadataService = inherit({
    */
   loadCredentials: function loadCredentials(callback) {
     var self = this;
-    var basePath = '/latest/meta-data/iam/security-credentials/';
     self.loadCredentialsCallbacks.push(callback);
     if (self.loadCredentialsCallbacks.length > 1) { return; }
 
@@ -106,23 +191,41 @@ AWS.MetadataService = inherit({
       }
     }
 
-    self.request(basePath, function (err, roleName) {
-      if (err) callbacks(err);
-      else {
-        roleName = roleName.split('\n')[0]; // grab first (and only) role
-        self.request(basePath + roleName, function (credErr, credData) {
-          if (credErr) callbacks(credErr);
-          else {
-            try {
-              var credentials = JSON.parse(credData);
-              callbacks(null, credentials);
-            } catch (parseError) {
-              callbacks(parseError);
-            }
+    if (self.disableFetchToken) {
+      self.fetchCredentials({}, callbacks);
+    } else {
+      self.fetchMetadataToken(function(tokenError, token) {
+        if (tokenError) {
+          if (tokenError.code === 'TimeoutError') {
+            self.disableFetchToken = true;
+          } else if (tokenError.retryable === true) {
+            callbacks(AWS.util.error(
+              tokenError,
+              {
+                message: 'EC2 Metadata token request returned error'
+              }
+            ));
+            return;
+          } else if (tokenError.statusCode === 400) {
+            callbacks(AWS.util.error(
+              tokenError,
+              {
+                message: 'EC2 Metadata token request returned 400'
+              }
+            ));
+            return;
           }
-        });
-      }
-    });
+        }
+        var options = {};
+        if (token) {
+          options.headers = {
+            'x-aws-ec2-metadata-token': token
+          };
+        }
+        self.fetchCredentials(options, callbacks);
+      });
+
+    }
   }
 });
 

lib/util.js

@@ -893,7 +893,10 @@ var util = {
           } else {
             var retryAfter = parseInt(httpResponse.headers['retry-after'], 10) * 1000 || 0;
             var err = util.error(new Error(),
-              { retryable: statusCode >= 500 || statusCode === 429 }
+              {
+                statusCode: statusCode,
+                retryable: statusCode >= 500 || statusCode === 429
+              }
             );
             if (retryAfter && err.retryable) err.retryAfter = retryAfter;
             errCallback(err);