Add EC2 IMDS v2 support

[prognant]

What does this PR do?

Add instance metadata service v2 (IMDS v2) support.
AWS official documentation : https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/configuring-instance-metadata-service.html
The agent will still rely on IMDS v1 first. It will do IMDS v2 request only if unauthenticated (IMDS v1) requests fail, thus the actual agent behaviour will only change if IMDS v1 is explicitly disabled, ensuring compatibility with existing deployments.

Motivation

Properly support EC2 instances with IMDSv1 disabled.

Additional Notes

Tests captured on an EC2 live instance with an agent development build :
Request without token on an IMDSv2 only instance :

GET /latest/meta-data/instance-id HTTP/1.1
Host: 169.254.169.254
User-Agent: Go-http-client/1.1
Accept-Encoding: gzip

HTTP/1.0 401 Unauthorized
Content-Length: 343
Content-Type: text/html
Date: Fri, 07 Feb 2020 13:31:39 GMT
Connection: close
Server: EC2ws

<?xml version="1.0" encoding="iso-8859-1"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
	"http:https://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http:https://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
 <head>
  <title>401 - Unauthorized</title>
 </head>
 <body>
  <h1>401 - Unauthorized</h1>
 </body>
</html>

Token request (PUT):

PUT /latest/api/token HTTP/1.1
Host: 169.254.169.254
User-Agent: Go-http-client/1.1
Content-Length: 0
X-Aws-Ec2-Metadata-Token-Ttl-Seconds: 60
Accept-Encoding: gzip

HTTP/1.0 200 OK
Content-Length: 56
Content-Type: text/plain
Date: Fri, 07 Feb 2020 13:31:39 GMT
X-Aws-Ec2-Metadata-Token-Ttl-Seconds: 60
Connection: close
Server: EC2ws

AQAAAFKw7LwD9Nn5LmMKwWMp9-xj2CI5EuASEmX6F3_g9F3iWvlFTQ==

Request to metadata with token:

GET /latest/meta-data/instance-id HTTP/1.1
Host: 169.254.169.254
User-Agent: Go-http-client/1.1
X-Aws-Ec2-Metadata-Token: AQAAAFKw7LwD9Nn5LmMKwWMp9-xj2CI5EuASEmX6F3_g9F3iWvlFTQ==
Accept-Encoding: gzip

HTTP/1.0 200 OK
Accept-Ranges: bytes
Content-Length: 19
Content-Type: text/plain
Date: Fri, 07 Feb 2020 13:31:39 GMT
Last-Modified: Fri, 07 Feb 2020 13:30:01 GMT
X-Aws-Ec2-Metadata-Token-Ttl-Seconds: 60
Connection: close
Server: EC2ws

i-0c583456e1956d03e

[ogaca-dd]

LGTM just minor comments.

[ogaca-dd]

👍

[ishug86]

@prognant @ogaca-dd I was just curious about this change. Looks like you first try to fetch the info from v1 and then defaults to v2.
Should it not be reversed?

[prognant]

@ishug86 It could be reversed, but the idea was to keep the same behaviour than before the change (i.e. doing IMDSv1) where possible and support deployment with IMDSv2 only/IMDSv1 disabled. Not changing the default behaviour let some margin to ensure the IMDSv2 implementation is trouble-free.

If we think forward we could plan to do IMDSv2 only because :

• IMDSv2 is enabled everywhere (but optional, i.e. IMDSv1 still works) by default
• IMDSv2 can be mandatory by AWS configuration
• IMDSv1 alone is not possible

So strictly speaking IMDSv1 support is not required anymore and is likely to be dropped at some point .

[ishug86]

Thanks @prognant for the explanation, and sorry for responding so late.
As far as I know, IMDS V2 will always be enabled on all instances as its on AWS backend API (on the hypervisor).
However, With this implementation, the problem could be when someone disable v1 on their machine, it will lead to some call failures for v1 and also not recommended from security perspective as it may confuse folks if they want to disable IMDS V1 on the instance running datadog agent.

[prognant]

Thanks for your feedback @ishug86. We understand that IMDSv2 will always be there, we agree that it makes sense to favor IMDSv2 regarding security. Thus we will work on allowing the agent to query IMDSv2 by default in a future release

[ishug86]

Thanks @prognant , I will look forward and track the new release.