Provide an environment variable to disable IMDSv2 path #2980
Description
Is this related to a problem?
The IMDS code has a 5-second timeout in fetching data from the IMDS, which includes trying to fetch the IMDSv2 session token. This can cause slowness when running inside of a Docker container, especially when multiple calls to the IMDS are involved in serial each of which uses a different EC2Metadata client. This seems to have been reported in #2972
I'm a HashiCorp Vault community member who often helps with Vault integrations with AWS. I submitted a PR to update the version of the aws-sdk-go to a recent version to take advantage of IMDSv2, but the potential hit to the user experience for users running inside of Docker containers seems poor -- it'll take some time for full adoption of IMDSv2 to the entire AWS ecosystem such that the default hop limit can be set to two to allow for workloads running in Docker containers (e.g., I don't believe that, as of today, autoscaling groups or Fargate tasks support non-default Metadata options). Until then, while I think this is a great capability to add to Vault, it should really provide end users with a fallback option/"escape hatch" to disable the use of IMDSv2 until the penetration of IMDS support has achieved critical mass to where it's no longer needed.
Feature description
Provide an environment variable, e.g., AWS_EC2_DISABLE_IMDSV2, which will cause the SDK to always fall back to IMDSv1.
Describe alternatives you've considered
- Accept the 5-second timeout which can happen serially for clients and provide a poor user experience.
- Don't adopt IMDSv2 and consequently don't realize the security benefits it has to offer.
Additional context
n/a