File ECO-SLE-18232.diff of Package resource-agents.23108
diff -ru resource-agents-4.4.0+git57.70549516-orig/heartbeat/awseip resource-agents-4.4.0+git57.70549516/heartbeat/awseip
--- resource-agents-4.4.0+git57.70549516-orig/heartbeat/awseip	2020-02-24 12:23:11.000000000 +0100
+++ resource-agents-4.4.0+git57.70549516/heartbeat/awseip	2021-06-16 13:51:36.222454479 +0200
@@ -149,12 +149,12 @@
     awseip_monitor && return $OCF_SUCCESS
 
     if [ -n "${PRIVATE_IP_ADDRESS}" ]; then
-        NETWORK_INTERFACES_MACS="$(curl -s http://169.254.169.254/latest/meta-data/network/interfaces/macs/)"
+        NETWORK_INTERFACES_MACS=$(curl -s http://169.254.169.254/latest/meta-data/network/interfaces/macs/ -H "X-aws-ec2-metadata-token: $TOKEN")
         for MAC in ${NETWORK_INTERFACES_MACS}; do
-            curl -s http://169.254.169.254/latest/meta-data/network/interfaces/macs/${MAC}/local-ipv4s |
+            curl -s http://169.254.169.254/latest/meta-data/network/interfaces/macs/${MAC}/local-ipv4s -H "X-aws-ec2-metadata-token: $TOKEN" |
                 grep -q "^${PRIVATE_IP_ADDRESS}$"
             if [ $? -eq 0 ]; then
-                NETWORK_ID="$(curl -s http://169.254.169.254/latest/meta-data/network/interfaces/macs/${MAC}/interface-id)"
+                NETWORK_ID=$(curl -s http://169.254.169.254/latest/meta-data/network/interfaces/macs/${MAC}/interface-id -H "X-aws-ec2-metadata-token: $TOKEN")
             fi
         done
         $AWSCLI --profile $OCF_RESKEY_profile ec2 associate-address  \
@@ -244,7 +244,8 @@
 ELASTIC_IP="${OCF_RESKEY_elastic_ip}"
 ALLOCATION_ID="${OCF_RESKEY_allocation_id}"
 PRIVATE_IP_ADDRESS="${OCF_RESKEY_private_ip_address}"
-INSTANCE_ID="$(curl -s http://169.254.169.254/latest/meta-data/instance-id)"
+TOKEN=$(curl -sX PUT "http://169.254.169.254/latest/api/token" -H "X-aws-ec2-metadata-token-ttl-seconds: 21600")
+INSTANCE_ID=$(curl -s http://169.254.169.254/latest/meta-data/instance-id -H "X-aws-ec2-metadata-token: $TOKEN")
 
 case $__OCF_ACTION in
     start)
diff -ru resource-agents-4.4.0+git57.70549516-orig/heartbeat/awsvip resource-agents-4.4.0+git57.70549516/heartbeat/awsvip
--- resource-agents-4.4.0+git57.70549516-orig/heartbeat/awsvip	2020-02-24 12:23:11.000000000 +0100
+++ resource-agents-4.4.0+git57.70549516/heartbeat/awsvip	2021-06-16 13:51:47.934374057 +0200
@@ -172,7 +172,7 @@
             --instance-id "${INSTANCE_ID}" \
             --query 'Reservations[].Instances[].NetworkInterfaces[].PrivateIpAddresses[].PrivateIpAddress[]' \
             --output text | \
-            grep -q "${SECONDARY_PRIVATE_IP}"
+            grep -qE "(^|\s)${SECONDARY_PRIVATE_IP}(\s|$)"
     RET=$?
 
     if [ $RET -ne 0 ]; then
@@ -206,9 +206,10 @@
 
 AWSCLI="${OCF_RESKEY_awscli}"
 SECONDARY_PRIVATE_IP="${OCF_RESKEY_secondary_private_ip}"
-INSTANCE_ID="$(curl -s http://169.254.169.254/latest/meta-data/instance-id)"
-MAC_ADDRESS="$(curl -s http://169.254.169.254/latest/meta-data/mac)"
-NETWORK_ID="$(curl -s http://169.254.169.254/latest/meta-data/network/interfaces/macs/${MAC_ADDRESS}/interface-id)"
+TOKEN=$(curl -sX PUT "http://169.254.169.254/latest/api/token" -H "X-aws-ec2-metadata-token-ttl-seconds: 21600")
+INSTANCE_ID=$(curl -s http://169.254.169.254/latest/meta-data/instance-id -H "X-aws-ec2-metadata-token: $TOKEN")
+MAC_ADDRESS=$(curl -s http://169.254.169.254/latest/meta-data/mac -H "X-aws-ec2-metadata-token: $TOKEN")
+NETWORK_ID=$(curl -s http://169.254.169.254/latest/meta-data/network/interfaces/macs/${MAC_ADDRESS}/interface-id -H "X-aws-ec2-metadata-token: $TOKEN")
 
 case $__OCF_ACTION in
     start)
diff -ru resource-agents-4.4.0+git57.70549516-orig/heartbeat/aws-vpc-move-ip resource-agents-4.4.0+git57.70549516/heartbeat/aws-vpc-move-ip
--- resource-agents-4.4.0+git57.70549516-orig/heartbeat/aws-vpc-move-ip	2020-02-24 12:23:11.000000000 +0100
+++ resource-agents-4.4.0+git57.70549516/heartbeat/aws-vpc-move-ip	2021-06-16 13:50:38.246852580 +0200
@@ -37,19 +37,27 @@
 # Defaults
 OCF_RESKEY_awscli_default="/usr/bin/aws"
 OCF_RESKEY_profile_default="default"
+OCF_RESKEY_region_default=""
 OCF_RESKEY_ip_default=""
 OCF_RESKEY_address_default=""
 OCF_RESKEY_routing_table_default=""
+OCF_RESKEY_routing_table_role_default=""
 OCF_RESKEY_interface_default="eth0"
 OCF_RESKEY_monapi_default="false"
+OCF_RESKEY_lookup_type_default="InstanceId"
 
 : ${OCF_RESKEY_awscli=${OCF_RESKEY_awscli_default}}
 : ${OCF_RESKEY_profile=${OCF_RESKEY_profile_default}}
+: ${OCF_RESKEY_region=${OCF_RESKEY_region_default}}
 : ${OCF_RESKEY_ip=${OCF_RESKEY_ip_default}}
 : ${OCF_RESKEY_address=${OCF_RESKEY_address_default}}
 : ${OCF_RESKEY_routing_table=${OCF_RESKEY_routing_table_default}}
+: ${OCF_RESKEY_routing_table_role=${OCF_RESKEY_routing_table_role_default}}
 : ${OCF_RESKEY_interface=${OCF_RESKEY_interface_default}}
 : ${OCF_RESKEY_monapi=${OCF_RESKEY_monapi_default}}
+: ${OCF_RESKEY_lookup_type=${OCF_RESKEY_lookup_type_default}}
+
+[ -n "$OCF_RESKEY_region" ] && region_opt="--region $OCF_RESKEY_region"
 #######################################################################
 
 
@@ -93,6 +101,14 @@
 <content type="string" default="${OCF_RESKEY_profile_default}" />
 </parameter>
 
+<parameter name="region">
+<longdesc lang="en">
+Valid AWS region name (e.g., 'us-west-2')
+</longdesc>
+<shortdesc lang="en">region name</shortdesc>
+<content type="string" default="${OCF_RESKEY_region_default}" />
+</parameter>
+
 <parameter name="ip" required="1">
 <longdesc lang="en">
 VPC private IP address
@@ -117,6 +133,14 @@
 <content type="string" default="${OCF_RESKEY_routing_table_default}" />
 </parameter>
 
+<parameter name="routing_table_role" required="0">
+<longdesc lang="en">
+Role to use to query/update the route table
+</longdesc>
+<shortdesc lang="en">route table query/update role</shortdesc>
+<content type="string" default="${OCF_RESKEY_routing_table_role_default}" />
+</parameter>
+
 <parameter name="interface" required="1">
 <longdesc lang="en">
 Name of the network interface, i.e. eth0
@@ -132,6 +156,17 @@
 <shortdesc lang="en">Enhanced Monitoring</shortdesc>
 <content type="boolean" default="${OCF_RESKEY_monapi_default}" />
 </parameter>
+
+<parameter name="lookup_type" required="0">
+<longdesc lang="en">
+Name of resource type to lookup in route table.
+"InstanceId"         : EC2 instance ID. (default)
+"NetworkInterfaceId" : ENI ID. (useful in shared VPC setups).
+</longdesc>
+<shortdesc lang="en">lookup type for route table resource</shortdesc>
+<content type="string" default="${OCF_RESKEY_lookup_type_default}" />
+</parameter>
+
 </parameters>
 
 <actions>
@@ -145,15 +180,33 @@
 END
 }
 
+
+execute_cmd_as_role(){
+	cmd=$1
+	role=$2
+	output="$($OCF_RESKEY_awscli sts assume-role --role-arn $role --role-session-name AWSCLI-RouteTableUpdate --profile $OCF_RESKEY_profile $region_opt --output=text)"
+	export AWS_ACCESS_KEY_ID="$(echo $output | awk -F" " '$4=="CREDENTIALS" {print $5}')"
+	export AWS_SECRET_ACCESS_KEY="$(echo $output | awk -F" " '$4=="CREDENTIALS" {print $7}')"
+	export AWS_SESSION_TOKEN="$(echo $output | awk -F" " '$4=="CREDENTIALS" {print $8}')"
+
+	#Execute command
+	ocf_log debug "Assumed Role ${role}"
+	ocf_log debug "$($OCF_RESKEY_awscli sts get-caller-identity)"
+	ocf_log debug "executing command: $cmd"
+	response="$($cmd)"
+	unset output AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY AWS_SESSION_TOKEN
+	echo $response
+}
+
 ec2ip_set_address_param_compat(){
 	# Include backward compatibility for the deprecated address parameter
-	if [ -z  "$OCF_RESKEY_ip" ] && [ -n "$OCF_RESKEY_address" ]; then
+	if [ -z "$OCF_RESKEY_ip" ] && [ -n "$OCF_RESKEY_address" ]; then
 		OCF_RESKEY_ip="$OCF_RESKEY_address"
 	fi
 }
 
 ec2ip_validate() {
-	for cmd in aws ip curl; do
+	for cmd in $OCF_RESKEY_awscli ip curl; do
 		check_binary "$cmd"
 	done
 
@@ -162,7 +215,8 @@
 		return $OCF_ERR_CONFIGURED
 	fi
 
-	EC2_INSTANCE_ID="$(curl -s http://169.254.169.254/latest/meta-data/instance-id)"
+	TOKEN=$(curl -sX PUT "http://169.254.169.254/latest/api/token" -H "X-aws-ec2-metadata-token-ttl-seconds: 21600")
+	EC2_INSTANCE_ID=$(curl -s http://169.254.169.254/latest/meta-data/instance-id -H "X-aws-ec2-metadata-token: $TOKEN")
 
 	if [ -z "${EC2_INSTANCE_ID}" ]; then
 		ocf_exit_reason "Instance ID not found. Is this a EC2 instance?"
@@ -173,20 +227,33 @@
 }
 
 ec2ip_monitor() {
-        MON_RES=""
+	MON_RES=""
+	if [ "${OCF_RESKEY_lookup_type}" = "NetworkInterfaceId" ]; then
+		EC2_ID="$(ec2ip_get_instance_eni)"
+		RESOURCE_TYPE="interface"
+	else
+		EC2_ID="$EC2_INSTANCE_ID"
+		RESOURCE_TYPE="instance"
+	fi
+
 	if ocf_is_true ${OCF_RESKEY_monapi} || [ "$__OCF_ACTION" = "start" ] || ocf_is_probe; then
 		for rtb in $(echo $OCF_RESKEY_routing_table | sed -e 's/,/ /g'); do
 			ocf_log info "monitor: check routing table (API call) - $rtb"
-			cmd="$OCF_RESKEY_awscli --profile $OCF_RESKEY_profile --output text ec2 describe-route-tables --route-table-ids $rtb --query RouteTables[*].Routes[?DestinationCidrBlock=='$OCF_RESKEY_ip/32'].InstanceId"
-			ocf_log debug "executing command: $cmd"
-			ROUTE_TO_INSTANCE="$($cmd)"
+			if [ -z "${OCF_RESKEY_routing_table_role}" ]; then
+				cmd="$OCF_RESKEY_awscli --profile $OCF_RESKEY_profile $region_opt --output text ec2 describe-route-tables --route-table-ids $rtb --query RouteTables[*].Routes[?DestinationCidrBlock=='$OCF_RESKEY_ip/32'].$OCF_RESKEY_lookup_type"
+				ocf_log debug "executing command: $cmd"
+				ROUTE_TO_INSTANCE="$($cmd)"
+			else
+				cmd="$OCF_RESKEY_awscli $region_opt --output text ec2 describe-route-tables --route-table-ids $rtb --query RouteTables[*].Routes[?DestinationCidrBlock=='$OCF_RESKEY_ip/32'].$OCF_RESKEY_lookup_type"
+				ROUTE_TO_INSTANCE="$(execute_cmd_as_role "$cmd" $OCF_RESKEY_routing_table_role)"
+			fi
 			ocf_log debug "Overlay IP is currently routed to ${ROUTE_TO_INSTANCE}"
 			if [ -z "$ROUTE_TO_INSTANCE" ]; then
 				ROUTE_TO_INSTANCE="<unknown>"
 			fi
 
-			if [ "$EC2_INSTANCE_ID" != "$ROUTE_TO_INSTANCE" ]; then 
-				ocf_log warn "not routed to this instance ($EC2_INSTANCE_ID) but to instance $ROUTE_TO_INSTANCE on $rtb"
+			if [ "$EC2_ID" != "$ROUTE_TO_INSTANCE" ]; then
+				ocf_log warn "not routed to this $RESOURCE_TYPE ($EC2_ID) but to $RESOURCE_TYPE $ROUTE_TO_INSTANCE on $rtb"
 				MON_RES="$MON_RES $rtb"
 			fi
 			sleep 1
@@ -204,7 +271,13 @@
 	ocf_log debug "executing command: $cmd"
 	RESULT=$($cmd | grep "$OCF_RESKEY_ip")
 	if [ -z "$RESULT" ]; then
-		ocf_log warn "IP $OCF_RESKEY_ip not assigned to running interface"
+		if [ "$__OCF_ACTION" = "monitor" ] && ! ocf_is_probe; then
+			level="error"
+		else
+			level="info"
+		fi
+
+		ocf_log "$level" "IP $OCF_RESKEY_ip not assigned to running interface"
 		return $OCF_NOT_RUNNING
 	fi
 
@@ -216,17 +289,32 @@
 ec2ip_drop() {
 	cmd="ip addr delete ${OCF_RESKEY_ip}/32 dev $OCF_RESKEY_interface"
 	ocf_log debug "executing command: $cmd"
-	$cmd
+	output=$($cmd 2>&1)
 	rc=$?
+
 	if [ "$rc" -gt 0 ]; then
-		ocf_log warn "command failed, rc $rc"
+		if [ "$__OCF_ACTION" = "start" ]; then
+			# expected to fail during start
+			level="debug"
+		else
+			level="warn"
+		fi
+
+		ocf_log "$level" "command failed, rc $rc"
+		ocf_log "$level" "output/error: $output"
 		return $OCF_ERR_GENERIC
+	else
+		ocf_log debug "output/error: $output"
 	fi
 
+	# delete remaining route-entries if any
+	ip route show to exact ${OCF_RESKEY_ip}/32 dev $OCF_RESKEY_interface | xargs -r ip route delete
+	ip route show table local to exact ${OCF_RESKEY_ip}/32 dev $OCF_RESKEY_interface | xargs -r ip route delete
+
 	return $OCF_SUCCESS
 }
 
-ec2ip_get_and_configure() {
+ec2ip_get_instance_eni() {
 	MAC_FILE="/sys/class/net/${OCF_RESKEY_interface}/address"
 	if [ -f $MAC_FILE ]; then
 		cmd="cat ${MAC_FILE}"
@@ -242,7 +330,7 @@
 	fi
 	ocf_log debug "MAC address associated with interface ${OCF_RESKEY_interface}: ${MAC_ADDR}"
 
-	cmd="curl -s http://169.254.169.254/latest/meta-data/network/interfaces/macs/${MAC_ADDR}/interface-id"
+	cmd="curl -s http://169.254.169.254/latest/meta-data/network/interfaces/macs/${MAC_ADDR}/interface-id -H \"X-aws-ec2-metadata-token: $TOKEN\""
 	ocf_log debug "executing command: $cmd"
 	EC2_NETWORK_INTERFACE_ID="$(eval $cmd)"
 	rc=$?
@@ -251,11 +339,20 @@
 		return $OCF_ERR_GENERIC
 	fi
 	ocf_log debug "network interface id associated MAC address ${MAC_ADDR}: ${EC2_NETWORK_INTERFACE_ID}"
+	echo $EC2_NETWORK_INTERFACE_ID
+}
 
+ec2ip_get_and_configure() {
+	EC2_NETWORK_INTERFACE_ID="$(ec2ip_get_instance_eni)"
 	for rtb in $(echo $OCF_RESKEY_routing_table | sed -e 's/,/ /g'); do
-		cmd="$OCF_RESKEY_awscli --profile $OCF_RESKEY_profile --output text ec2 replace-route --route-table-id $rtb --destination-cidr-block ${OCF_RESKEY_ip}/32 --network-interface-id $EC2_NETWORK_INTERFACE_ID"
-		ocf_log debug "executing command: $cmd"
-		$cmd
+		if [ -z "${OCF_RESKEY_routing_table_role}" ]; then
+			cmd="$OCF_RESKEY_awscli --profile $OCF_RESKEY_profile $region_opt --output text ec2 replace-route --route-table-id $rtb --destination-cidr-block ${OCF_RESKEY_ip}/32 --network-interface-id $EC2_NETWORK_INTERFACE_ID"
+			ocf_log debug "executing command: $cmd"
+			$cmd
+		else
+			cmd="$OCF_RESKEY_awscli $region_opt --output text ec2 replace-route --route-table-id $rtb --destination-cidr-block ${OCF_RESKEY_ip}/32 --network-interface-id $EC2_NETWORK_INTERFACE_ID"
+			update_response="$(execute_cmd_as_role "$cmd" $OCF_RESKEY_routing_table_role)"
+		fi
 		rc=$?
 		if [ "$rc" != 0 ]; then
 			ocf_log warn "command failed, rc: $rc"
@@ -363,7 +460,7 @@
 		ec2ip_monitor;;
 	validate-all)
 		exit $?;;
-	*)	
+	*)
 		echo $USAGE
 		exit $OCF_ERR_UNIMPLEMENTED
 		;;
diff -ru resource-agents-4.4.0+git57.70549516-orig/heartbeat/aws-vpc-route53.in resource-agents-4.4.0+git57.70549516/heartbeat/aws-vpc-route53.in
--- resource-agents-4.4.0+git57.70549516-orig/heartbeat/aws-vpc-route53.in	2020-02-24 12:23:11.000000000 +0100
+++ resource-agents-4.4.0+git57.70549516/heartbeat/aws-vpc-route53.in	2021-06-16 13:51:04.398673003 +0200
@@ -37,18 +37,34 @@
 #
 # Mar. 15, 2017, vers 1.0.2
 
+
 #######################################################################
 # Initialization:
 
 : ${OCF_FUNCTIONS_DIR=${OCF_ROOT}/lib/heartbeat}
 . ${OCF_FUNCTIONS_DIR}/ocf-shellfuncs
 
+# Defaults
+OCF_RESKEY_awscli_default="/usr/bin/aws"
+OCF_RESKEY_profile_default="default"
+OCF_RESKEY_hostedzoneid_default=""
+OCF_RESKEY_fullname_default=""
+OCF_RESKEY_ip_default="local"
 OCF_RESKEY_ttl_default=10
 
+: ${OCF_RESKEY_awscli=${OCF_RESKEY_awscli_default}}
+: ${OCF_RESKEY_profile=${OCF_RESKEY_profile_default}}
+: ${OCF_RESKEY_hostedzoneid:=${OCF_RESKEY_hostedzoneid_default}}
+: ${OCF_RESKEY_fullname:=${OCF_RESKEY_fullname_default}}
+: ${OCF_RESKEY_ip:=${OCF_RESKEY_ip_default}}
 : ${OCF_RESKEY_ttl:=${OCF_RESKEY_ttl_default}}
+#######################################################################
 
+
+AWS_PROFILE_OPT="--profile $OCF_RESKEY_profile --cli-connect-timeout 10"
 #######################################################################
 
+
 usage() {
 	cat <<-EOT
 	usage: $0 {start|stop|status|monitor|validate-all|meta-data}
@@ -97,15 +113,44 @@
 		meta target-role=Started
 </longdesc>
 <shortdesc lang="en">Update Route53 VPC record for AWS EC2</shortdesc>
+
 <parameters>
+<parameter name="awscli">
+<longdesc lang="en">
+Path to command line tools for AWS
+</longdesc>
+<shortdesc lang="en">Path to AWS CLI tools</shortdesc>
+<content type="string" default="${OCF_RESKEY_awscli_default}" />
+</parameter>
+
+<parameter name="profile">
+<longdesc lang="en">
+The name of the AWS CLI profile of the root account. This
+profile will have to use the "text" format for CLI output.
+The file /root/.aws/config should have an entry which looks
+like:
+
+  [profile cluster]
+	region = us-east-1
+	output = text
+
+"cluster" is the name which has to be used in the cluster
+configuration. The region has to be the current one. The
+output has to be "text".
+</longdesc>
+<shortdesc lang="en">AWS Profile Name</shortdesc>
+<content type="string" default="${OCF_RESKEY_profile_default}" />
+</parameter>
+
 <parameter name="hostedzoneid" required="1">
 <longdesc lang="en">
 Hosted zone ID of Route 53. This is the table of
 the Route 53 record.
 </longdesc>
 <shortdesc lang="en">AWS hosted zone ID</shortdesc>
-<content type="string" default="" />
+<content type="string" default="${OCF_RESKEY_hostedzoneid_default}" />
 </parameter>
+
 <parameter name="fullname" required="1">
 <longdesc lang="en">
 The full name of the service which will host the IP address.
@@ -113,8 +158,19 @@
 Note: The trailing dot is important to Route53!
 </longdesc>
 <shortdesc lang="en">Full service name</shortdesc>
-<content type="string" default="" />
+<content type="string" default="${OCF_RESKEY_fullname_default}" />
+</parameter>
+
+<parameter name="ip" required="0">
+<longdesc lang="en">
+IP (local (default), public or secondary private IP address (e.g. 10.0.0.1).
+
+A secondary private IP can be setup with the awsvip agent.
+</longdesc>
+<shortdesc lang="en">Type of IP or secondary private IP address (local, public or e.g. 10.0.0.1)</shortdesc>
+<content type="string" default="${OCF_RESKEY_ip_default}" />
 </parameter>
+
 <parameter name="ttl" required="0">
 <longdesc lang="en">
 Time to live for Route53 ARECORD
@@ -122,25 +178,8 @@
 <shortdesc lang="en">ARECORD TTL</shortdesc>
 <content type="string" default="${OCF_RESKEY_ttl_default}" />
 </parameter>
-<parameter name="profile" required="1">
-<longdesc lang="en">
-The name of the AWS CLI profile of the root account. This
-profile will have to use the "text" format for CLI output.
-The file /root/.aws/config should have an entry which looks
-like:
-
-  [profile cluster]
-	region = us-east-1
-	output = text
-
-"cluster" is the name which has to be used in the cluster
-configuration. The region has to be the current one. The
-output has to be "text".
-</longdesc>
-<shortdesc lang="en">AWS Profile Name</shortdesc>
-<content type="string" default="" />
-</parameter>
 </parameters>
+
 <actions>
 <action name="start" timeout="180s" />
 <action name="stop" timeout="180s" />
@@ -167,6 +206,15 @@
 	# Hosted Zone ID
 	[[ -z "$OCF_RESKEY_hostedzoneid" ]] && ocf_log error "Hosted Zone ID parameter not set $OCF_RESKEY_hostedzoneid!" && exit $OCF_ERR_CONFIGURED
 
+	# Type of IP/secondary IP address
+	case $OCF_RESKEY_ip in
+		local|public|*.*.*.*)
+			;;
+		*)
+			ocf_exit_reason "Invalid value for ip: ${OCF_RESKEY_ip}"
+			exit $OCF_ERR_CONFIGURED
+	esac
+
 	# profile
 	[[ -z "$OCF_RESKEY_profile" ]] && ocf_log error "AWS CLI profile not set $OCF_RESKEY_profile!" && exit $OCF_ERR_CONFIGURED
 
@@ -174,25 +222,44 @@
 	[[ -z "$OCF_RESKEY_ttl" ]] && ocf_log error "TTL not set $OCF_RESKEY_ttl!" && exit $OCF_ERR_CONFIGURED
 
 	ocf_log debug "Testing aws command"
-	aws --version 2>&1
+	$OCF_RESKEY_awscli --version 2>&1
 	if [ "$?" -gt 0 ]; then
 		ocf_log error "Error while executing aws command as user root! Please check if AWS CLI tools (Python flavor) are properly installed and configured." && exit $OCF_ERR_INSTALLED
 	fi
 	ocf_log debug "ok"
 
-	if [ -n "$OCF_RESKEY_profile" ]; then
-		AWS_PROFILE_OPT="--profile $OCF_RESKEY_profile --cli-connect-timeout 10"
-	else
-		AWS_PROFILE_OPT="--profile default --cli-connect-timeout 10"
+	return $OCF_SUCCESS
+}
+
+r53_start() {
+	#
+	# Start agent and config DNS in Route53
+	#
+	ocf_log info "Starting Route53 DNS update...."
+	_get_ip
+	r53_monitor
+	if [ $? != $OCF_SUCCESS ]; then
+		ocf_log info "Could not start agent - check configurations"
+		return $OCF_ERR_GENERIC
 	fi
+	return $OCF_SUCCESS
+}
 
+r53_stop() {
+	#
+	# Stop operation doesn't perform any API call or try to remove the DNS record
+	# this mostly because this is not necessarily mandatory or desired
+	# the start and monitor functions will take care of changing the DNS record
+	# if the agent starts in a different cluster node
+	#
+	ocf_log info "Bringing down Route53 agent. (Will NOT remove Route53 DNS record)"
 	return $OCF_SUCCESS
 }
 
 r53_monitor() {
 	#
 	# For every start action the agent  will call Route53 API to check for DNS record
-	# otherwise it will try to get results directly bu querying the DNS using "dig".
+	# otherwise it will try to get results directly by querying the DNS using "dig".
 	# Due to complexity in some DNS architectures "dig" can fail, and if this happens
 	# the monitor will fallback to the Route53 API call.
 	#
@@ -208,11 +275,11 @@
 	r53_validate
 	ocf_log debug "Checking Route53 record sets"
 	#
-	IPADDRESS="$(curl -s http://169.254.169.254/latest/meta-data/local-ipv4)"
+	_get_ip
 	#
 	if [ "$__OCF_ACTION" = "start" ] || ocf_is_probe ; then
 		#
-		cmd="aws $AWS_PROFILE_OPT route53 list-resource-record-sets --hosted-zone-id $OCF_RESKEY_hostedzoneid --query ResourceRecordSets[?Name=='$OCF_RESKEY_fullname']"
+		cmd="$OCF_RESKEY_awscli $AWS_PROFILE_OPT route53 list-resource-record-sets --hosted-zone-id $OCF_RESKEY_hostedzoneid --query ResourceRecordSets[?Name=='$OCF_RESKEY_fullname']"
 		ocf_log info "Route53 Agent Starting or probing - executing monitoring API call: $cmd"
 		CLIRES="$($cmd 2>&1)"
 		rc=$?
@@ -244,7 +311,7 @@
 		#
 		if  [[ ! $ARECORD =~ $IPREGEX ]] || [ $rc -ne 0 ]; then
 			ocf_log info "Fallback to Route53 API query due to DNS resolution failure"
-			cmd="aws $AWS_PROFILE_OPT route53 list-resource-record-sets --hosted-zone-id $OCF_RESKEY_hostedzoneid --query ResourceRecordSets[?Name=='$OCF_RESKEY_fullname']"
+			cmd="$OCF_RESKEY_awscli $AWS_PROFILE_OPT route53 list-resource-record-sets --hosted-zone-id $OCF_RESKEY_hostedzoneid --query ResourceRecordSets[?Name=='$OCF_RESKEY_fullname']"
 			ocf_log debug "executing monitoring API call: $cmd"
 			CLIRES="$($cmd 2>&1)"
 			rc=$?
@@ -277,6 +344,16 @@
 	return $OCF_SUCCESS
 }
 
+_get_ip() {
+	case $OCF_RESKEY_ip in
+		local|public)
+			TOKEN=$(curl -sX PUT "http://169.254.169.254/latest/api/token" -H "X-aws-ec2-metadata-token-ttl-seconds: 21600")
+			IPADDRESS=$(curl -s http://169.254.169.254/latest/meta-data/${OCF_RESKEY_ip}-ipv4 -H "X-aws-ec2-metadata-token: $TOKEN");;
+		*.*.*.*)
+			IPADDRESS="${OCF_RESKEY_ip}";;
+	esac
+}
+
 _update_record() {
 	#
 	# This function is the one that will actually execute Route53's API call
@@ -314,7 +391,7 @@
 		  ]
 	}
 	EOF
-	cmd="aws --profile $OCF_RESKEY_profile route53 change-resource-record-sets --hosted-zone-id $OCF_RESKEY_hostedzoneid --change-batch file://$ROUTE53RECORD "
+	cmd="$OCF_RESKEY_awscli $AWS_PROFILE_OPT route53 change-resource-record-sets --hosted-zone-id $OCF_RESKEY_hostedzoneid --change-batch file://$ROUTE53RECORD "
 	ocf_log debug "Executing command: $cmd"
 	CLIRES="$($cmd 2>&1)"
 	rc=$?
@@ -334,36 +411,11 @@
 	MYSECONDS=20
 	while [ "$STATUS" = 'PENDING' ]; do
 		sleep $MYSECONDS
-		STATUS="$(aws --profile $OCF_RESKEY_profile route53 get-change --id $CHANGEID | grep CHANGEINFO | awk -F'\t' '{ print $4 }' |cut -d'"' -f 2 )"
+		STATUS="$($OCF_RESKEY_awscli $AWS_PROFILE_OPT route53 get-change --id $CHANGEID | grep CHANGEINFO | awk -F'\t' '{ print $4 }' |cut -d'"' -f 2 )"
 		ocf_log debug "Waited for $MYSECONDS seconds and checked execution of Route 53 update status: $STATUS "
 	done
 }
 
-r53_stop() {
-	#
-	# Stop operation doesn't perform any API call or try to remove the DNS record
-	# this mostly because this is not necessarily mandatory or desired
-	# the start and monitor functions will take care of changing the DNS record
-	# if the agent starts in a different cluster node
-	#
-	ocf_log info "Bringing down Route53 agent. (Will NOT remove Route53 DNS record)"
-	return $OCF_SUCCESS
-}
-
-r53_start() {
-	#
-	# Start agent and config DNS in Route53
-	#
-	ocf_log info "Starting Route53 DNS update...."
-	IPADDRESS="$(curl -s http://169.254.169.254/latest/meta-data/local-ipv4)"
-	r53_monitor
-	if [ $? != $OCF_SUCCESS ]; then
-		ocf_log info "Could not start agent - check configurations"
-		return $OCF_ERR_GENERIC
-	fi
-	return $OCF_SUCCESS
-}
-
 ###############################################################################
 
 case $__OCF_ACTION in
@@ -375,20 +427,23 @@
 		metadata
 		exit $OCF_SUCCESS
 		;;
-	monitor)
-		r53_monitor
+	start)
+		r53_validate || exit $?
+		r53_start
 		;;
 	stop)
 		r53_stop
 		;;
+	monitor)
+		r53_monitor
+		;;
 	validate-all)
 		r53_validate
 		;;
-	start)
-		r53_start
-		;;
 	*)
 		usage
 		exit $OCF_ERR_UNIMPLEMENTED
 		;;
 esac
+
+exit $?