Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

AWS EC2 ohai plugin replaces - with _ in metadata keys #1673

Open
cavdhut opened this issue Jun 25, 2021 · 1 comment
Open

AWS EC2 ohai plugin replaces - with _ in metadata keys #1673

cavdhut opened this issue Jun 25, 2021 · 1 comment
Labels
Status: Untriaged An issue that has yet to be triaged. Type: Bug Does not work as expected.

Comments

@cavdhut
Copy link

cavdhut commented Jun 25, 2021

Description

AWS EC2 ohai plugin replaces - with _ in metadata keys. For example if I have role named my-iam-role ohai plugin changes it to my_iam_role.

I believe below code does this conversion. Is it possible to fix this?

https://github.com/chef/ohai/blob/master/lib/ohai/mixin/ec2_metadata.rb#L229

Ohai Version

Ohai: 13.10.0

Platform Version

CentOS Stream release 8

Ohai Output

Ohai output:

ohai -d /etc/chef/ohai_plugins/ -l fatal | jq .cloud.iam.role_name
"my_iam_role"

AWS meta-data:

curl http://169.254.169.254/latest/meta-data/iam/security-credentials/;echo
my-iam-role
@cavdhut cavdhut added Status: Untriaged An issue that has yet to be triaged. Type: Bug Does not work as expected. labels Jun 25, 2021
@cavdhut cavdhut changed the title AWS EC2 ohai plugin replaces - with _ in IAM role name AWS EC2 ohai plugin replaces - with _ in metadata keys Jun 25, 2021
@kcbraunschweig
Copy link
Contributor

While it'd be great to unwind if this key munging is needed in general and remove it, it seems that's gonna take some historical digging because its been that way for a very long time. A workaround for this specific case might be to take a different approach to role fetching. Instead of trusting the return from fetch_metadata which munges keys and parsing the keys to derive the role name, we remove that. We create a separate fetch_role method in the ec2_metadata mixin which fetches the metadata and walks down it similarly to fetch_metadata but only to get security-credentials and the role, that method can avoid munging the key and return the role name only. The plugin can add in the role name where it currently is in the returned ohai data. Since it ends up as a value not a key, there's no risk of whatever that munging was trying to protect us from. It does mean fetching and walking part of the metadata a second time, so there's a performance penalty of 3 extra http calls.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Status: Untriaged An issue that has yet to be triaged. Type: Bug Does not work as expected.
Projects
None yet
Development

No branches or pull requests

2 participants