Validated current broken state if I follow this procedure:
1. Create and launch a VM using an IAM role (which exposes the 'security-credentials' metadata keys to the instance): https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-roles-for-amazon-ec2.html
2. And then disable the cloud-init's logic which skips 'security-credentials' when crawling IMDS
cat > enable-security-creds.patch <<EOF ubuntu@ip-172-31-80-198:~$ diff -urN /usr/lib/python3/dist-packages/cloudinit/ec2_utils.py.orig /usr/lib/python3/dist-packages/cloudinit/ec2_utils.py --- /usr/lib/python3/dist-packages/cloudinit/ec2_utils.py.orig 2020-03-03 23:13:02.791518559 +0000 +++ /usr/lib/python3/dist-packages/cloudinit/ec2_utils.py 2020-03-03 23:12:46.679999055 +0000 @@ -85,8 +85,8 @@ if not field or not field_name: continue # Don't materialize credentials - if field_name == 'security-credentials': - continue + #if field_name == 'security-credentials': + # continue if has_children(field): if field_name not in children: children.append(field_name) EOF
scp enable-security-creds.patch ubuntu@<MY_EC2_IAM_VM>:. ssh ubuntu@<MY_EC2_IAM_VM> cd / sudo patch -p1 < /home/ubuntu/enable-security-creds.path
3. Reboot/rerun cloudinit cloud-init clean --logs --reboot
4. sudo grep redacted /run/cloud-init/instance-data* # Note redacted content should *not* be in instance-data-sensitive.json /run/cloud-init/instance-data-sensitive.json: "security-credentials": "redacted for non-root user"
Validated current broken state if I follow this procedure:
1. Create and launch a VM using an IAM role (which exposes the 'security- credentials' metadata keys to the instance): /docs.aws. amazon. com/AWSEC2/ latest/ UserGuide/ iam-roles- for-amazon- ec2.html
https:/
2. And then disable the cloud-init's logic which skips 'security- credentials' when crawling IMDS
cat > enable- security- creds.patch <<EOF ip-172- 31-80-198: ~$ diff -urN /usr/lib/ python3/ dist-packages/ cloudinit/ ec2_utils. py.orig /usr/lib/ python3/ dist-packages/ cloudinit/ ec2_utils. py python3/ dist-packages/ cloudinit/ ec2_utils. py.orig 2020-03-03 23:13:02.791518559 +0000 python3/ dist-packages/ cloudinit/ ec2_utils. py 2020-03-03 23:12:46.679999055 +0000
continue credentials' : credentials' : field):
children. append( field_name)
ubuntu@
--- /usr/lib/
+++ /usr/lib/
@@ -85,8 +85,8 @@
if not field or not field_name:
# Don't materialize credentials
- if field_name == 'security-
- continue
+ #if field_name == 'security-
+ # continue
if has_children(
if field_name not in children:
EOF
scp enable- security- creds.patch ubuntu@ <MY_EC2_ IAM_VM> :. <MY_EC2_ IAM_VM> enable- security- creds.path
ssh ubuntu@
cd /
sudo patch -p1 < /home/ubuntu/
3. Reboot/rerun cloudinit
cloud-init clean --logs --reboot
4. sudo grep redacted /run/cloud- init/instance- data* data-sensitive. json init/instance- data-sensitive. json: "security- credentials" : "redacted for non-root user"
# Note redacted content should *not* be in instance-
/run/cloud-