Skip to main content
Module Server 0.16.1Last updated in version 0.13.6

Require Instance Metadata Service version script

View Source Release Notes

This folder contains a script (require-instance-metadata-service-version) you can use to either:

  1. Allow access to both versions 1.0 and 2.0 of the Instance Metadata Service
  2. Disable version 1.0 of the Instance Metadata Service and require that version 2.0 be used

Learn more at the official AWS EC2 Instance Metadata Service documentation.

Check out the route53-helpers example for how to use these scripts with Packer and Terraform.

Installing bash-commons

bash-commons is a dependency of this script. You must first install it via the Gruntwork Installer. This script requires version v0.1.8 of bash-commons or newer.

gruntwork-install --module-name "bash-commons" --repo "https://github.com/gruntwork-io/bash-commons" --tag "0.1.8"

Installing the script

You can install these scripts using the Gruntwork Installer:

gruntwork-install --module-name "require-instance-metadata-service-version" --repo "https://github.com/gruntwork-io/terraform-aws-server" --tag "0.13.3"

Using the script

The require-instance-metadata-service-version script has the following prerequisites:

  1. It must be run on an EC2 instance
  2. It requires that bash-commons version v0.1.8 or newer is installed on the EC2 Instance. See instructions above.
  3. The EC2 instance must have an IAM role with permissions to modify the Instance Metadata service's options. See the route53-helpers example) for a reference implementation.
  4. The EC2 instance must have the AWS CLI (version 2.2.37 or higher), unzip and jq installed.

Run the require-instance-metadata-service-version script in the User Data of your EC2 instances, prior to any calls to the Instance Metadata Service to configure if you want 2.0 credentials to be required or optional.

Here is an example usage:

# Require that only IMDS version 2.0 be used, disabling version 1.0
require-instance-metadata-service-version --version-2-state 'required'

# Allow either IMDS 1.0 or 2.0 versions to be used
require-instance-metadata-service-version --version-2-state 'optional'

Example output:

Setting Instance Metadata Service version 2 state to required
{
    "InstanceId": "i-002132f6f69e13b22",
    "InstanceMetadataOptions": {
        "State": "pending",
        "HttpTokens": "required",
        "HttpPutResponseHopLimit": 1,
        "HttpEndpoint": "enabled",
        "HttpProtocolIpv6": "disabled"
    }
}

...

Setting Instance Metadata Service version 2 state to optional
{
    "InstanceId": "i-002132f6f69e13b22",
    "InstanceMetadataOptions": {
        "State": "pending",
        "HttpTokens": "optional",
        "HttpPutResponseHopLimit": 1,
        "HttpEndpoint": "enabled",
        "HttpProtocolIpv6": "disabled"
    }
}