Bug 2151986

Summary: [RFE] Add support for IMDSv2 to nm-cloud-setup
Product: Red Hat Enterprise Linux 9 Reporter: Sara Ferguson <sferguso>
Component: NetworkManagerAssignee: NetworkManager Development Team <nm-team>
Status: VERIFIED --- QA Contact: David Jaša <djasa>
Severity: medium Docs Contact: Mayur Patil <maypatil>
Priority: medium    
Version: 9.1CC: bgalvani, fguilher, jklech, libhe, linl, lrintel, maypatil, qzhang, rkhan, sfaye, sukulkar, thaller, till, vbenes, xiliang, ymao
Target Milestone: rcKeywords: FutureFeature, Triaged
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: NetworkManager-1.43.3-1.el9 Doc Type: Enhancement
Doc Text:
Feature: NetworkManager now supports the AWS EC2 Instance Metadata Service Version 2 (IMDSv2), expanding its cloud setup capabilities. Reason: This development was driven by the increasing adoption of IMDSv2 due to improved security and compliance features that restrict unauthorized access to EC2 metadata. The integration between NetworkManager and IMDSv2 was necessary to meet the needs of AWS and Red Hat customers who rely on these advanced features. Result: The enhancement allows nm-cloud-setup to fetch and save IMDSv2 tokens, verify EC2 environments, and retrieve information about available interfaces and IP configurations by using the secured IMDSv2 tokens. This addition not only increases NetworkManager's compatibility with AWS services but also ensures a higher level of security for EC2 metadata. As a result, Red Hat customers can better meet their compliance requirements while maintaining efficient cloud setup processes.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 2183217    

Comment 8 libhe 2023-03-20 03:29:36 UTC 
It seems that it has introduced a regression bug 2179718.
Comment 12 David Jaša 2023-05-01 17:10:18 UTC 
VERIFIED using NetworkManager-1.43.6-1.el9:



Token is acquired:
    [Request URI: http://169.254.169.254/latest/api/token]
    File Data: 56 bytes
    Data (56 bytes)

0000  41 51 41 41 41 4c 48 2d 6b 37 69 31 38 4a 4d 6b   AQAAALH-k7i18JMk
0010  4b 2d 4f 52 4c 5a 51 66 41 61 37 6e 6b 4e 6a 51   K-ORLZQfAa7nkNjQ
0020  62 4b 77 70 51 50 45 78 4e 48 71 7a 6b 31 6f 4c   bKwpQPExNHqzk1oL
0030  5f 37 65 68 2d 41 3d 3d                           _7eh-A==



And then used:
Hypertext Transfer Protocol
    GET /2018-09-24/meta-data/network/interfaces/macs/ HTTP/1.1\r\n
        [Expert Info (Chat/Sequence): GET /2018-09-24/meta-data/network/interfaces/macs/ HTTP/1.1\r\n]
            [GET /2018-09-24/meta-data/network/interfaces/macs/ HTTP/1.1\r\n]
            [Severity level: Chat]
            [Group: Sequence]
        Request Method: GET
        Request URI: /2018-09-24/meta-data/network/interfaces/macs/
        Request Version: HTTP/1.1
    Host: 169.254.169.254\r\n
    Accept: */*\r\n
    X-aws-ec2-metadata-token: AQAAALH-k7i18JMkK-ORLZQfAa7nkNjQbKwpQPExNHqzk1oL_7eh-A==\r\n
    \r\n
    [Full request URI: http://169.254.169.254/2018-09-24/meta-data/network/interfaces/macs/]