Support IMDSv2 HttpTokens

[SteffeyDev]

What does this PR do?

This PR allows salt-cloud to connect to IMDSv2 using tokens, while still supporting IMDSv1.

I'm running salt-cloud on an EC2 instance that requires tokens for IMDS, which caused salt-cloud to fail to authenticate with EC2 when using use-instance-role-credentials in the cloud provider. My changes allow salt-cloud to authenticate successfully by using IMDSv2 tokens to get the security-credentials.

Merge requirements satisfied?

[NOTICE] Bug fixes or features added to Salt require tests.

• Docs
• Changelog - https://docs.saltproject.io/en/master/topics/development/changelog.html
• Tests written/updated

Not sure if any documentation changes are needed, as I didn't see anything in the documentation about it not supporting IMDSv2 already. Let me know if any documentation changes are needed.

Commits signed with GPG?

No

[welcome]

Hi there! Welcome to the Salt Community! Thank you for making your first contribution. We have a lengthy process for issues and PRs. Someone from the Core Team will follow up as soon as possible. In the meantime, here’s some information that may help as you continue your Salt journey.
Please be sure to review our Code of Conduct. Also, check out some of our community resources including:

• Community Wiki
• Salt’s Contributor Guide
• Join our Community Slack
• IRC on LiberaChat
• Salt Project YouTube channel
• Salt Project Twitch channel

There are lots of ways to get involved in our community. Every month, there are around a dozen opportunities to meet with other contributors and the Salt Core team and collaborate in real time. The best way to keep track is by subscribing to the Salt Community Events Calendar.
If you have additional questions, email us at [email protected]. We’re glad you’ve joined our community and look forward to doing awesome things with you!

[cmcmarrow]

@SteffeyDev can we get some tests and a change log? Thank your for contributing to salt. I see you kept backwards compatibility in mind, thanks for that!

[SteffeyDev]

@SteffeyDev can we get some tests and a change log? Thank your for contributing to salt. I see you kept backwards compatibility in mind, thanks for that!

Sure. As I said in the initial comment, I don't see any existing tests for this file, so I'm not sure the best way to test just this change independently. Can you provide some pointers for that?

[cmcmarrow]

@SteffeyDev you could write some mock tests for get_metadata. You would pass the old way args for 1 test and check results is right. You would then do the same thing with the new args and make sure you get the right results again. You could mock requests.get

[SteffeyDev]

Ok @cmcmarrow I added some tests, can you please review?

[Ch3LL]

just a clarifying question

[lorengordon]

I see two or three issues related to support for IMDSv2, and could possibly be closed by this patch. Can anyone testing confirm?

• [FEATURE REQUEST] Support IMDSv2 for retrieving EC2 Metadata grains #57514
• [BUG] s3 module fails when IMDSv2 is enforced on ec2 instances #60668
• [BUG] s3fs + masterless does not work without adding roots to fileserver_backend #62688

[lorengordon]

I see two or three issues related to support for IMDSv2, and could possibly be closed by this patch. Can anyone testing confirm?

• [FEATURE REQUEST] Support IMDSv2 for retrieving EC2 Metadata grains #57514
• [BUG] s3 module fails when IMDSv2 is enforced on ec2 instances #60668
• [BUG] s3fs + masterless does not work without adding roots to fileserver_backend #62688

@Ch3LL I did some testing last week, and believe IMDSv2 support is indeed working in salt 3006. It might be worth following up a bit on the three tickets I linked and seeing if they can be closed now.