Don't track sensitive new ec2 metadata

When I bumped the aws metadata versions we support it brought in some new sensitive data we don't want on nodes. This skips accesskeyid / secretaccesskey storage. Signed-off-by: Tim Smith <tsmith@chef.io>
author: Tim Smith <tsmith84@gmail.com> 2021-02-01 13:28:43 -0800
committer: Tim Smith <tsmith84@gmail.com> 2021-02-01 13:28:43 -0800
commit: 7bba964b1c1fce9330dca201cfc2dbf6c2fc285c (patch)
tree: 7e8d71dcfc3cc7a225fd7dfb02479f5c6decc7f5
parent: 4843bb3d6bbf8ad73a23bac7b3feba8cf9597b5c (diff)
download: ohai-7bba964b1c1fce9330dca201cfc2dbf6c2fc285c.tar.gz
1 files changed, 3 insertions, 0 deletions
diff --git a/lib/ohai/plugins/ec2.rb b/lib/ohai/plugins/ec2.rb
index 1942ae42..eb9fa480 100644
--- a/lib/ohai/plugins/ec2.rb
+++ b/lib/ohai/plugins/ec2.rb
@@ -121,6 +121,9 @@ Ohai.plugin(:EC2) do
       logger.trace("Plugin EC2: looks_like_ec2? == true")
       ec2 Mash.new
       fetch_metadata.each do |k, v|
+        # this includes sensitive data we don't want to store on the node
+        next if k == "identity_credentials_ec2_security_credentials_ec2_instance"
+
         # fetch_metadata returns IAM security credentials, including the IAM user's
         # secret access key. We'd rather not have ohai send this information
         # to the server. If the instance is associated with an IAM role we grab
author	Tim Smith <tsmith84@gmail.com>	2021-02-01 13:28:43 -0800
committer	Tim Smith <tsmith84@gmail.com>	2021-02-01 13:28:43 -0800
commit	7bba964b1c1fce9330dca201cfc2dbf6c2fc285c (patch)
tree	7e8d71dcfc3cc7a225fd7dfb02479f5c6decc7f5
parent	4843bb3d6bbf8ad73a23bac7b3feba8cf9597b5c (diff)
download	ohai-7bba964b1c1fce9330dca201cfc2dbf6c2fc285c.tar.gz