-
Notifications
You must be signed in to change notification settings - Fork 1
Fake Mata data Service
Tristan Morgan edited this page Jul 1, 2024
·
4 revisions
It is possible to run a web server to fake the way the AWS serves credentials from the Meta-data Service. You will need to create an alias to the "magic" IP of 169.254.169.254 on your loopback interface, then run a web server that serves the content.
$ sudo ifconfig lo0 alias 169.254.169.254
The run the following:
#!/usr/bin/env ruby
# frozen_string_literal: true
require ‘sinatra’
require ‘awskeyring’
require ‘awskeyring/awsapi’
require 'securerandom'
configure do
set :bind, ‘169.254.169.254’
set :port, 80
end
# IMDSv2
put '/latest/api/token' do
SecureRandom.base64(30)
end
get '/' do
'latest'
end
get '/latest/' do
'meta-data'
end
get '/latest/meta-data/' do
'iam'
end
get '/latest/meta-data/iam/' do
'security-credentials'
end
# sets the name used in the path underneath.
get ‘/latest/meta-data/iam/security-credentials/’ do
‘awskeyring’
end
get ‘/latest/meta-data/iam/security-credentials/awskeyring’ do
cred = Awskeyring.get_valid_creds(account: ‘personal’)
expiry = Time.at(cred[:expiry]) unless cred[:expiry].nil?
{
‘Code’ => ‘Success’,
‘LastUpdated’ => Time.new.iso8601,
‘Type’ => ‘AWS-HMAC’,
‘AccessKeyId’ => cred[:key],
‘SecretAccessKey’ => cred[:secret],
‘Token’ => cred[:token],
‘Expiration’ => (expiry || Time.new + Awskeyring::Awsapi::ONE_HOUR).iso8601
}.to_json
end