acme.sh icon indicating copy to clipboard operation
acme.sh copied to clipboard

Published 20 hours ago verified publisher icon acmesh-official

DNS_AWS does not support role credentials from IMDSv2

Open pipozzz opened this issue 1 year ago • 5 comments

DNS_AWS do not support role credentials from IMDSv2

Steps to reproduce

enable IMDSv2 on ec2

Debug log

acme.sh  --issue .....   --debug 2
[Tue Jan 23 12:06:43 UTC 2024] You haven't specified the aws route53 api key id and and api key secret yet.

pipozzz avatar Jan 23 '24 13:01 pipozzz

Please upgrade to the latest code and try again first. Maybe it's already fixed. acme.sh --upgrade If it's still not working, please provide the log with --debug 2, otherwise, nobody can help you.

github-actions[bot] avatar Jan 23 '24 13:01 github-actions[bot]

No it's not fixed I did it on the latest version, debug log is not needed I think this missing functionality is obvious. I checked your code where it's missing:

file: dns_aws.sh

_use_instance_role() {
  _url="http://169.254.169.254/latest/meta-data/iam/security-credentials/"
  _debug "_url" "$_url"
  if ! _get "$_url" true 1 | _head_n 1 | grep -Fq 200; then
    _debug "Unable to fetch IAM role from instance metadata"
    return 1
  fi
  _aws_role=$(_get "$_url" "" 1)
  _debug "_aws_role" "$_aws_role"
  _use_metadata "$_url$_aws_role"
}

pipozzz avatar Jan 23 '24 14:01 pipozzz

Just to make sure I understand...you do NOT wish to set IMDSv2 to "Optional" in the instance settings, correct?

Otherwise, please see below. Set IMDSv2 to "Optional". I did, and it worked for me. It failed with "You haven't specified the aws route53 api key id and and api key secret yet." when IMDSv2 set to "Required".

image

clsmyth-hellolabs avatar Jan 23 '24 21:01 clsmyth-hellolabs

I use required because AWS strongly recommend it , btw it's barking in security hub when you have enabled v1.

pipozzz avatar Jan 24 '24 20:01 pipozzz

Hi, I upgraded acme.sh and try rerun --renew command but no luck. I'm getting this error:

[Wed Apr 10 11:27:27 UTC 2024] Response error: <ErrorResponse xmlns="https://route53.amazonaws.com/doc/2013-04-01/"><Error><Type>Sender</Type><Code>InvalidClientTokenId</Code><Message>The security token included in the request is invalid.</Message></Error><RequestId>3e91a42b-8398-4a6b-96e6-f3105b08eb21</RequestId></ErrorResponse> When I try to get role credentials manually from metadata service it works but using acme.sh

pipozzz avatar Apr 17 '24 14:04 pipozzz