Comment 1 for bug 1865947

Validated current broken state if I follow this procedure:

1. Create and launch a VM using an IAM role (which exposes the 'security-credentials' metadata keys to the instance):
https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-roles-for-amazon-ec2.html

2. And then disable the cloud-init's logic which skips 'security-credentials' when crawling IMDS

cat > enable-security-creds.patch <<EOF
ubuntu@ip-172-31-80-198:~$ diff -urN /usr/lib/python3/dist-packages/cloudinit/ec2_utils.py.orig /usr/lib/python3/dist-packages/cloudinit/ec2_utils.py
--- /usr/lib/python3/dist-packages/cloudinit/ec2_utils.py.orig 2020-03-03 23:13:02.791518559 +0000
+++ /usr/lib/python3/dist-packages/cloudinit/ec2_utils.py 2020-03-03 23:12:46.679999055 +0000
@@ -85,8 +85,8 @@
             if not field or not field_name:
                 continue
             # Don't materialize credentials
- if field_name == 'security-credentials':
- continue
+ #if field_name == 'security-credentials':
+ # continue
             if has_children(field):
                 if field_name not in children:
                     children.append(field_name)
EOF

scp enable-security-creds.patch ubuntu@<MY_EC2_IAM_VM>:.
ssh ubuntu@<MY_EC2_IAM_VM>
cd /
sudo patch -p1 < /home/ubuntu/enable-security-creds.path

3. Reboot/rerun cloudinit
cloud-init clean --logs --reboot

4. sudo grep redacted /run/cloud-init/instance-data*
# Note redacted content should *not* be in instance-data-sensitive.json
/run/cloud-init/instance-data-sensitive.json: "security-credentials": "redacted for non-root user"