awslabs · cartermckinnon · Aug 17, 2023 · Aug 17, 2023
diff --git a/files/bin/imds b/files/bin/imds
@@ -5,20 +5,13 @@ set -o pipefail
 set -o nounset
 
 if [ "$#" -ne 1 ]; then
-  echo >&2 "usage: imds API_PATH"
+  echo >&2 "usage: imds token|API_PATH"
   exit 1
 fi
 
-# leading slashes will be removed
-API_PATH="${1#/}"
-
-CURRENT_TIME=$(date '+%s')
-
 IMDS_DEBUG="${IMDS_DEBUG:-false}"
 # default ttl is 15 minutes
 IMDS_TOKEN_TTL_SECONDS=${IMDS_TOKEN_TTL_SECONDS:-900}
-# max ttl is 6 hours, see: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/configuring-instance-metadata-service.html
-IMDS_MAX_TOKEN_TTL_SECONDS=${IMDS_MAX_TOKEN_TTL_SECONDS:-21600}
 IMDS_RETRIES=${IMDS_RETRIES:-10}
 IMDS_RETRY_DELAY_SECONDS=${IMDS_RETRY_DELAY_SECONDS:-1}
 IMDS_ENDPOINT=${IMDS_ENDPOINT:-169.254.169.254}
@@ -49,43 +42,25 @@ function imdscurl() {
 }
 
 function get-token() {
-  local TOKEN_DIR="/tmp/imds-tokens/$(whoami)"
-  mkdir -p -m 0600 $TOKEN_DIR
-
-  # cleanup expired tokens
-  local DELETED_TOKENS=0
-  for TOKEN_FILE in $(ls $TOKEN_DIR | awk '$0 < '$(($CURRENT_TIME - $IMDS_MAX_TOKEN_TTL_SECONDS))); do
-    rm $TOKEN_DIR/$TOKEN_FILE
-    DELETED_TOKENS=$(($DELETED_TOKENS + 1))
-  done
-  if [ "$DELETED_TOKENS" -gt 0 ]; then
-    log "🗑️ Deleted $DELETED_TOKENS expired IMDS token(s)."
-  fi
-
-  local TOKEN_FILE=$(ls $TOKEN_DIR | awk '$0 > '$CURRENT_TIME | sort -n -r | head -n 1)
-
-  if [ "$TOKEN_FILE" = "" ]; then
-    TOKEN_FILE=$(($CURRENT_TIME + $IMDS_TOKEN_TTL_SECONDS))
-    local TOKEN=$(imdscurl \
-      -H "X-aws-ec2-metadata-token-ttl-seconds: $IMDS_TOKEN_TTL_SECONDS" \
-      -X PUT \
-      "http://$IMDS_ENDPOINT/latest/api/token")
-    echo "$TOKEN" > "$TOKEN_DIR/$TOKEN_FILE"
-    chmod 0600 "$TOKEN_DIR/$TOKEN_FILE"
-    log "🔑 Retrieved a fresh IMDS token that will expire in $IMDS_TOKEN_TTL_SECONDS seconds."
-  else
-    log "ℹ️ Using cached IMDS token that expires in $(($TOKEN_FILE - $CURRENT_TIME)) seconds."
-  fi
-  cat "$TOKEN_DIR/$TOKEN_FILE"
+  imdscurl \
+    -H "X-aws-ec2-metadata-token-ttl-seconds: $IMDS_TOKEN_TTL_SECONDS" \
+    -X PUT \
+    "http://$IMDS_ENDPOINT/latest/api/token"
 }
 
 function get-with-token() {
   local API_PATH="$1"
   imdscurl \
-    -H "X-aws-ec2-metadata-token: $(get-token)" \
+    -H "X-aws-ec2-metadata-token: ${IMDS_TOKEN:-$(get-token)}" \
     "http://$IMDS_ENDPOINT/$API_PATH"
 }
 
 log "ℹ️ Talking to IMDS at $IMDS_ENDPOINT"
 
-get-with-token "$API_PATH"
+if [ "$1" = "token" ]; then
+  get-token
+else
+  # leading slashes will be removed
+  API_PATH="${1#/}"
+  get-with-token "$API_PATH"
+fi
diff --git a/files/bootstrap.sh b/files/bootstrap.sh
@@ -175,6 +175,8 @@ set -- "${POSITIONAL[@]}" # restore positional parameters
 CLUSTER_NAME="$1"
 set -u
 
+export IMDS_TOKEN=$(imds token)
+
 KUBELET_VERSION=$(kubelet --version | grep -Eo '[0-9]\.[0-9]+\.[0-9]+')
 log "INFO: Using kubelet version $KUBELET_VERSION"
 

diff --git a/scripts/cleanup.sh b/scripts/cleanup.sh
@@ -24,7 +24,6 @@ sudo rm -rf \
   /var/log/secure \
   /var/log/wtmp \
   /var/log/messages \
-  /var/log/audit/* \
-  /tmp/imds-tokens
+  /var/log/audit/*
 
 sudo touch /etc/machine-id
diff --git a/test/cases/imds-token-refresh.sh b/test/cases/imds-token-refresh.sh