AWS EC2 Metadata Service v2 uses session tokens:
$ ec2metadata
Traceback (most recent call last):
File "/usr/bin/ec2metadata", line 249, in <module>
main()
File "/usr/bin/ec2metadata", line 245, in main
display(metaopts, burl, prefix)
File "/usr/bin/ec2metadata", line 192, in display
value = m.get(metaopt)
File "/usr/bin/ec2metadata", line 177, in get
return self._get('meta-data/' + metaopt)
File "/usr/bin/ec2metadata", line 137, in _get
resp = urllib_request.urlopen(urllib_request.Request(url))
File "/usr/lib/python3.8/urllib/request.py", line 222, in urlopen
return opener.open(url, data, timeout)
File "/usr/lib/python3.8/urllib/request.py", line 531, in open
response = meth(req, response)
File "/usr/lib/python3.8/urllib/request.py", line 640, in http_response
response = self.parent.error(
File "/usr/lib/python3.8/urllib/request.py", line 569, in error
return self._call_chain(*args)
File "/usr/lib/python3.8/urllib/request.py", line 502, in _call_chain
result = func(*args)
File "/usr/lib/python3.8/urllib/request.py", line 649, in http_error_default
raise HTTPError(req.full_url, code, msg, hdrs, fp)
urllib.error.HTTPError: HTTP Error 401: Unauthorized
Basic flow: obtain a session token with a PUT request
IMDSv2_TOKEN=$(curl -X PUT -H "X-aws-ec2-metadata-token-ttl-seconds: 30" -sL "http://169.254.169.254/latest/api/token")
IMDSv2_HEADER="-H X-aws-ec2-metadata-token:${IMDSv2_TOKEN}"
Send the session token when querying
curl -fs $IMDSv2_HEADER http://169.254.169.254/latest/.../
Oops. Didn't file the bug correctly.
I've looked into the locating the sources for the package / python script.
https:/
Indeed this doesn't have support for IMDSv2 session tokens.
This github gist has support for it:
https:/
I'll submit a patch shortly.