diff options
author | Tim Smith <tsmith84@gmail.com> | 2021-02-01 13:28:43 -0800 |
---|---|---|
committer | Tim Smith <tsmith84@gmail.com> | 2021-02-01 13:28:43 -0800 |
commit | 7bba964b1c1fce9330dca201cfc2dbf6c2fc285c (patch) | |
tree | 7e8d71dcfc3cc7a225fd7dfb02479f5c6decc7f5 | |
parent | 4843bb3d6bbf8ad73a23bac7b3feba8cf9597b5c (diff) | |
download | ohai-7bba964b1c1fce9330dca201cfc2dbf6c2fc285c.tar.gz |
Don't track sensitive new ec2 metadata
When I bumped the aws metadata versions we support it brought in some
new sensitive data we don't want on nodes. This skips accesskeyid /
secretaccesskey storage.
Signed-off-by: Tim Smith <tsmith@chef.io>
-rw-r--r-- | lib/ohai/plugins/ec2.rb | 3 |
1 files changed, 3 insertions, 0 deletions
diff --git a/lib/ohai/plugins/ec2.rb b/lib/ohai/plugins/ec2.rb index 1942ae42..eb9fa480 100644 --- a/lib/ohai/plugins/ec2.rb +++ b/lib/ohai/plugins/ec2.rb @@ -121,6 +121,9 @@ Ohai.plugin(:EC2) do logger.trace("Plugin EC2: looks_like_ec2? == true") ec2 Mash.new fetch_metadata.each do |k, v| + # this includes sensitive data we don't want to store on the node + next if k == "identity_credentials_ec2_security_credentials_ec2_instance" + # fetch_metadata returns IAM security credentials, including the IAM user's # secret access key. We'd rather not have ohai send this information # to the server. If the instance is associated with an IAM role we grab |