I’m currently using gitlab-runner with docker-machine executor on AWS. In order to reduce security issues, one is supposed to use IMDSv2 which is the AWS metadata service version 2 (enforcing token-based authentication).
I tried the addition from here Add support to AWS EC2 IMDSv2 (#15) · Issues · GitLab.org / CI-CD / docker-machine · GitLab, setting the following docker-machine options with the latest docker-machine version 0.16.2-gitlab.11:
MachineOptions = [
"amazonec2-access-key=*********",
"amazonec2-secret-key=****************",
"amazonec2-ssh-user=ubuntu",
"amazonec2-region=eu-central-1",
"amazonec2-vpc-id=vpc-059d240618b0b894c",
"amazonec2-subnet-id=subnet-08a6730620636686d",
"amazonec2-ami=ami-0502e817a62226e03",
"amazonec2-zone=a",
"amazonec2-use-private-address=true",
"amazonec2-private-address-only=true",
"amazonec2-security-group=docker-machine-scaler",
"amazonec2-instance-type=m5.large",
"amazonec2-request-spot-instance=true",
"amazonec2-spot-price=0.19",
"amazonec2-root-size=85",
"amazonec2-metadata-token=required",
"amazonec2-metadata-token-response-hop-limit=2"
]
The bottom two options being the ones of interest.
Upon monitoring the runners being spawned, i noticed that the Cloudwatch metric MetadataNoToken is not zero, therefore metadata request without IMDSv2 being performed. Additionally, the security hub to monitor such instances is complaining.
Anything i’m doing wrong? Or do you have any idea how to enforce the usage of IMDSv2 with docker-machine executor?