Difference between revisions of "IMDS initiate session"

• Initiate session (bash example)

TOKEN=`curl --request PUT
"http://169.254.169.254/latest/api/token"
--header "X-aws-ec2-metadata-token-ttl-seconds: 600"`

• Continue session with GET request but required token

curl --request GET "http://169.254.169.254/latest/metadata/ami-id" --header "X-aws-ec2-metadata-token: $TOKEN"

• This token expires after 10 minutes (600 seconds)
• IMDS distinguishes between v1 and v2 requests by presence of

headers Ref: https://d1.awsstatic.com/events/reinvent/2019/Security_best_practices_for_the_Amazon_EC2_instance_metadata_service_SEC310

See also

• IMDS, IMDS versions (IMDSv2), IMDS initiate session, ec2-imdsv2-check, aws ec2 modify-instance-metadata-options, /latest/meta-data, /latest/user-data, modify-instance-metadata-defaults