awslogs: Update aws-sdk-go to support IMDSv2#40474
Merged
AkihiroSuda merged 1 commit intomoby:masterfrom Feb 8, 2020
Merged
Conversation
AWS recently launched a new version of the EC2 Instance Metadata Service, which is used to provide credentials to the awslogs driver when running on Amazon EC2. This new version of the IMDS adds defense-in-depth mechanisms against open firewalls, reverse proxies, and SSRF vulnerabilities and is generally an improvement over the previous version. An updated version of the AWS SDK is able to handle the both the previous version and the new version of the IMDS and functions when either is enabled. More information about IMDSv2 is available at the following links: * https://aws.amazon.com/blogs/security/defense-in-depth-open-firewalls-reverse-proxies-ssrf-vulnerabilities-ec2-instance-metadata-service/ * https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/configuring-instance-metadata-service.html Closes moby#40422 Signed-off-by: Samuel Karp <skarp@amazon.com>
AkihiroSuda
approved these changes
Feb 8, 2020
Member
|
@samuelkarp Does this introduce user-facing changes? (new log-driver options to be documented in https://github.com/docker/docker.github.io/blob/629a147a65494cee7172072889dfffebc46071d2/config/containers/logging/awslogs.md)? |
Member
Author
|
@thaJeztah There are no new log-driver options. This change makes automatic credential retrieval on EC2 work in more situations, without requiring the user to do anything. The existing Credentials section of that doc is not very detailed; unless we want to rewrite it entirely I don't believe it needs to be updated. |
Member
|
Great, thanks! |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
- What I did
AWS recently launched a new version of the EC2 Instance Metadata Service, which is used to provide credentials to the awslogs driver when running on Amazon EC2. This new version of the IMDS adds defense-in-depth mechanisms against open firewalls, reverse proxies, and SSRF vulnerabilities and is generally an improvement over the previous version. An updated version of the AWS SDK is able to handle the both the previous version and the new version of the IMDS and functions when either is enabled.
More information about IMDSv2 is available at the following links:
Closes #40422
- How I did it
- How to verify it
awslogsdriver and ensure that it writes to CloudWatch Logs successfully- Description for the changelog
awslogs: Update aws-sdk-go to support IMDSv2