spring-cloud-aws
spring-cloud-aws copied to clipboard
Support for AWS IMDSv2
Type: Feature
Is your feature request related to a problem? Please describe.
Secrets propagation to an application can e dealt in different ways. The most convenient way is to use the AWS metadata IMDSv1 to application configure credentials via token propagation.
For a security oriented company this is not enough.Accessibg the metadata is not protected or challenged. An treath actor could you access tokens for SSRF attack. As these towns can be used outside AWS and attacker could, for example access to RDB, S3.... instant carnage..
Describe the solution you'd like While the IMDSv2 doesn't mitigate all the risks, it is a step in the right direction. Session-based tokens.
What I would like to see is that spring-cloud-aws to use this mechanism rather than what it is currently doing which is based on IMDSv1
Describe alternatives you've considered N/A
Additional context Add any other context or screenshots about the feature request here.
Correct me if I am wrong, but AFAIK AWS SDK has a built in support for IMDSv2 in a default credentials chain and there is nothing we need to do in Spring Cloud AWS to support it ..?
That's a really good question, let me check
Support for IMDSv2 was added in:
- 1.11.678 of aws-java-sdk (commit 06a2180e)
- 2.10.20 of aws-java-sdk-v2 (commit 53451414)
So I suspect that using the right SDK with the default credential chains the application should be able to configure itself?
Is there any other configuration needed from spring-cloud-aws, or some special overrides?
Last time I have checked this I had deployed a spring-cloud-aws base app and i was getting a 403 when the app was trying to resolve the credentials, the googling of the error lead me IMDSv2, in particular to the PUT http call that retrieves the session token.
On Sun, 17 Apr 2022, 07:26 Maciej Walkowiak, @.***> wrote:
Correct me if I am wrong, but AFAIK AWS SDK has a built in support for IMDSv2 in a default credentials chain and there is nothing we need to do in Spring Cloud AWS to support it ..?
— Reply to this email directly, view it on GitHub https://github.com/awspring/spring-cloud-aws/issues/258#issuecomment-1100814009, or unsubscribe https://github.com/notifications/unsubscribe-auth/ABPIXOBS5OATIM7NQRTQDALVFOVHXANCNFSM5PU2HPJQ . You are receiving this because you authored the thread.Message ID: @.***>
Can you verify that it is the case or push somewhere an example I could play with? Also, you're welcome to contribute this feature.
Absolutely,
I'll get something setup for you
On Sun, 17 Apr 2022, 11:41 Maciej Walkowiak, @.***> wrote:
Can you verify that it is the case or push somewhere an example I could play with? Also, you're welcome to contribute this feature.
— Reply to this email directly, view it on GitHub https://github.com/awspring/spring-cloud-aws/issues/258#issuecomment-1100850425, or unsubscribe https://github.com/notifications/unsubscribe-auth/ABPIXOEHDW65JOD6ON4CGCDVFPTEDANCNFSM5PU2HPJQ . You are receiving this because you authored the thread.Message ID: @.***>
@ade90036 any news here?
Closing.