spring-cloud-aws icon indicating copy to clipboard operation
spring-cloud-aws copied to clipboard

Published 20 hours ago verified publisher icon awspring

Support for AWS IMDSv2

Open ade90036 opened this issue 2 years ago • 5 comments

Type: Feature

Is your feature request related to a problem? Please describe.

Secrets propagation to an application can e dealt in different ways. The most convenient way is to use the AWS metadata IMDSv1 to application configure credentials via token propagation.

For a security oriented company this is not enough.Accessibg the metadata is not protected or challenged. An treath actor could you access tokens for SSRF attack. As these towns can be used outside AWS and attacker could, for example access to RDB, S3.... instant carnage..

Describe the solution you'd like While the IMDSv2 doesn't mitigate all the risks, it is a step in the right direction. Session-based tokens.

What I would like to see is that spring-cloud-aws to use this mechanism rather than what it is currently doing which is based on IMDSv1

Describe alternatives you've considered N/A

Additional context Add any other context or screenshots about the feature request here.

ade90036 avatar Mar 01 '22 18:03 ade90036

Correct me if I am wrong, but AFAIK AWS SDK has a built in support for IMDSv2 in a default credentials chain and there is nothing we need to do in Spring Cloud AWS to support it ..?

maciejwalkowiak avatar Apr 17 '22 06:04 maciejwalkowiak

That's a really good question, let me check

Support for IMDSv2 was added in:

  • 1.11.678 of aws-java-sdk (commit 06a2180e)
  • 2.10.20 of aws-java-sdk-v2 (commit 53451414)

So I suspect that using the right SDK with the default credential chains the application should be able to configure itself?

Is there any other configuration needed from spring-cloud-aws, or some special overrides?

Last time I have checked this I had deployed a spring-cloud-aws base app and i was getting a 403 when the app was trying to resolve the credentials, the googling of the error lead me IMDSv2, in particular to the PUT http call that retrieves the session token.

On Sun, 17 Apr 2022, 07:26 Maciej Walkowiak, @.***> wrote:

Correct me if I am wrong, but AFAIK AWS SDK has a built in support for IMDSv2 in a default credentials chain and there is nothing we need to do in Spring Cloud AWS to support it ..?

— Reply to this email directly, view it on GitHub https://github.com/awspring/spring-cloud-aws/issues/258#issuecomment-1100814009, or unsubscribe https://github.com/notifications/unsubscribe-auth/ABPIXOBS5OATIM7NQRTQDALVFOVHXANCNFSM5PU2HPJQ . You are receiving this because you authored the thread.Message ID: @.***>

ade90036 avatar Apr 17 '22 08:04 ade90036

Can you verify that it is the case or push somewhere an example I could play with? Also, you're welcome to contribute this feature.

maciejwalkowiak avatar Apr 17 '22 10:04 maciejwalkowiak

Absolutely,

I'll get something setup for you

On Sun, 17 Apr 2022, 11:41 Maciej Walkowiak, @.***> wrote:

Can you verify that it is the case or push somewhere an example I could play with? Also, you're welcome to contribute this feature.

— Reply to this email directly, view it on GitHub https://github.com/awspring/spring-cloud-aws/issues/258#issuecomment-1100850425, or unsubscribe https://github.com/notifications/unsubscribe-auth/ABPIXOEHDW65JOD6ON4CGCDVFPTEDANCNFSM5PU2HPJQ . You are receiving this because you authored the thread.Message ID: @.***>

ade90036 avatar Apr 17 '22 11:04 ade90036

@ade90036 any news here?

maciejwalkowiak avatar May 06 '22 11:05 maciejwalkowiak

Closing.

maciejwalkowiak avatar Mar 01 '23 09:03 maciejwalkowiak