yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1931392] Re: sensitive metadata and jinja templates

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: James Falcon <1931392@xxxxxxxxxxxxxxxxxx>
Date: Mon, 23 Aug 2021 20:16:39 -0000
Reply-to: Bug 1931392 <1931392@xxxxxxxxxxxxxxxxxx>
Sender: noreply@xxxxxxxxxxxxx

This bug is believed to be fixed in cloud-init in version 21.3. If this
is still a problem for you, please make a comment and set the state back
to New

Thank you.

** Changed in: cloud-init
       Status: Fix Committed => Fix Released

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to cloud-init.
https://bugs.launchpad.net/bugs/1931392

Title:
  sensitive metadata and jinja templates

Status in cloud-init:
  Fix Released

Bug description:
  The documentation doesn't explain well how to use sanitized metadata
  (that will show up in instance-data-sensitive.json rather than
  instance-data.json) with jinja templates inside user-data. As far as I
  can see, it doesn't work. The source code mentions two magic keys that
  are sanitized: "merged_cfg" and "security-credentials". Defining
  variables with these names inside meta-data correctly sanitizes them
  and only puts them inside files only readable by root, however then
  they don't work inside user-data as jinja templates (as
  "{{ds.meta_data.security-credentials}}", for example), they are
  instead replaced by CI_MISSING_JINJA_VAR. Using differently named
  variables makes the template work, but they aren't sanitized in the
  logs/runtime files.

  In what way, if any, this is supposed to work? Should I instead just
  chmod the relevant log/runtime files through an entry in bootcmd?

To manage notifications about this bug go to:
https://bugs.launchpad.net/cloud-init/+bug/1931392/+subscriptions

References

[Bug 1931392] [NEW] sensitive metadata and jinja templates
From: Peter Surda, 2021-06-09