Write redacted metadata to /run/cloud-init/instance-data.json
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
cloud-init |
Fix Released
|
Undecided
|
Unassigned |
Bug Description
Cloud-init persists world-readable instance metadata in /run/cloud-
Cloud-init has a facility whereby clouds could defined a via sensitive_
No clouds are redacting metadata using this mechanism currently.
When cloud-init persists instannce-data.json it should write the redacted content to the world-readable /run/cloud-
It currently writes the wrong content to each file. No clouds currently are exposed to this bug.
information type: | Public → Private Security |
summary: |
- instance-data.json could contain security sensitive content + Write redacted metadata to /run/cloud-init/instance-data.json |
description: | updated |
information type: | Private Security → Public |
description: | updated |
description: | updated |
description: | updated |
Validated current broken state if I follow this procedure:
1. Create and launch a VM using an IAM role (which exposes the 'security- credentials' metadata keys to the instance): /docs.aws. amazon. com/AWSEC2/ latest/ UserGuide/ iam-roles- for-amazon- ec2.html
https:/
2. And then disable the cloud-init's logic which skips 'security- credentials' when crawling IMDS
cat > enable- security- creds.patch <<EOF ip-172- 31-80-198: ~$ diff -urN /usr/lib/ python3/ dist-packages/ cloudinit/ ec2_utils. py.orig /usr/lib/ python3/ dist-packages/ cloudinit/ ec2_utils. py python3/ dist-packages/ cloudinit/ ec2_utils. py.orig 2020-03-03 23:13:02.791518559 +0000 python3/ dist-packages/ cloudinit/ ec2_utils. py 2020-03-03 23:12:46.679999055 +0000
continue credentials' : credentials' : field):
children. append( field_name)
ubuntu@
--- /usr/lib/
+++ /usr/lib/
@@ -85,8 +85,8 @@
if not field or not field_name:
# Don't materialize credentials
- if field_name == 'security-
- continue
+ #if field_name == 'security-
+ # continue
if has_children(
if field_name not in children:
EOF
scp enable- security- creds.patch ubuntu@ <MY_EC2_ IAM_VM> :. <MY_EC2_ IAM_VM> enable- security- creds.path
ssh ubuntu@
cd /
sudo patch -p1 < /home/ubuntu/
3. Reboot/rerun cloudinit
cloud-init clean --logs --reboot
4. sudo grep redacted /run/cloud- init/instance- data* data-sensitive. json init/instance- data-sensitive. json: "security- credentials" : "redacted for non-root user"
# Note redacted content should *not* be in instance-
/run/cloud-