From 8a25f857a588f713ddbb6357326a30c02681d86f Mon Sep 17 00:00:00 2001
From: MatheusAfinovicz <matheusafinovicz@gmail.com>
Date: Thu, 13 Apr 2023 12:54:23 -0300
Subject: [PATCH 1/2] feat: use IMDSv2 for requests

---
 pkg/metadata/provider_aws.go | 35 ++++++++++++++++++++++++++++++++++-
 1 file changed, 34 insertions(+), 1 deletion(-)

diff --git a/pkg/metadata/provider_aws.go b/pkg/metadata/provider_aws.go
index 079dde2941..ba8e989273 100644
--- a/pkg/metadata/provider_aws.go
+++ b/pkg/metadata/provider_aws.go
@@ -90,6 +90,34 @@ func awsMetaGet(lookupName string, fileName string, fileMode os.FileMode) {
 	}
 }
 
+func signRequest(req *http.Request, client *http.Client) (*http.Request, error) {
+	tokenReq, err := http.NewRequest("PUT", "http://169.254.169.254/latest/api/token", nil)
+	if err != nil {
+		return req, err
+	}
+
+	tokenReq.Header.Add("X-aws-ec2-metadata-token-ttl-seconds", "21600")
+
+	tokenRes, err := client.Do(tokenReq)
+	if err != nil {
+		return req, err
+	}
+	if tokenRes.StatusCode != 200 {
+		return req, fmt.Errorf("AWS: Status not ok: %d", tokenRes.StatusCode)
+	}
+
+	tokenBytes, err := io.ReadAll(tokenRes.Body)
+	if err != nil {
+		return req, err
+	}
+
+	token := string(tokenBytes)
+
+	req.Header.Add("X-aws-ec2-metadata-token", token)
+
+	return req, nil
+}
+
 // awsGet requests and extracts the requested URL
 func awsGet(url string) ([]byte, error) {
 	var client = &http.Client{
@@ -101,7 +129,12 @@ func awsGet(url string) ([]byte, error) {
 		return nil, fmt.Errorf("AWS: http.NewRequest failed: %s", err)
 	}
 
-	resp, err := client.Do(req)
+	signedReq, err := signRequest(req, client)
+	if err != nil {
+		return nil, fmt.Errorf("AWS: Could not contact metadata service: %s", err)
+	}
+
+	resp, err := client.Do(signedReq)
 	if err != nil {
 		return nil, fmt.Errorf("AWS: Could not contact metadata service: %s", err)
 	}

From 886b370507ad15d6cdb83f9bfe0a27a00d97d168 Mon Sep 17 00:00:00 2001
From: MatheusAfinovicz <matheusafinovicz@gmail.com>
Date: Mon, 17 Apr 2023 08:04:12 -0300
Subject: [PATCH 2/2] fix: sign request error message

---
 pkg/metadata/provider_aws.go | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/pkg/metadata/provider_aws.go b/pkg/metadata/provider_aws.go
index ba8e989273..c317c4e0e0 100644
--- a/pkg/metadata/provider_aws.go
+++ b/pkg/metadata/provider_aws.go
@@ -131,7 +131,7 @@ func awsGet(url string) ([]byte, error) {
 
 	signedReq, err := signRequest(req, client)
 	if err != nil {
-		return nil, fmt.Errorf("AWS: Could not contact metadata service: %s", err)
+		return nil, fmt.Errorf("AWS: Could not sign metadata request: %s", err)
 	}
 
 	resp, err := client.Do(signedReq)