ModifyInstanceMetadataOptions
Modify the instance metadata parameters on a running or stopped instance. When you modify the parameters on a stopped instance, they are applied when the instance is started. When you modify the parameters on a running instance, the API responds with a state of “pending”. After the parameter modifications are successfully applied to the instance, the state of the modifications changes from “pending” to “applied” in subsequent describe-instances API calls. For more information, see Instance metadata and user data in the Amazon EC2 User Guide.
Request Parameters
The following parameters are for this specific action. For more information about required and optional parameters that are common to all actions, see Common Query Parameters.
- DryRun
-
Checks whether you have the required permissions for the action, without actually making the request, and provides an error response. If you have the required permissions, the error response is
DryRunOperation
. Otherwise, it isUnauthorizedOperation
.Type: Boolean
Required: No
- HttpEndpoint
-
Enables or disables the HTTP metadata endpoint on your instances. If this parameter is not specified, the existing state is maintained.
If you specify a value of
disabled
, you cannot access your instance metadata.Type: String
Valid Values:
disabled | enabled
Required: No
- HttpProtocolIpv6
-
Enables or disables the IPv6 endpoint for the instance metadata service. Applies only if you enabled the HTTP metadata endpoint.
Type: String
Valid Values:
disabled | enabled
Required: No
- HttpPutResponseHopLimit
-
The desired HTTP PUT response hop limit for instance metadata requests. The larger the number, the further instance metadata requests can travel. If no parameter is specified, the existing state is maintained.
Possible values: Integers from 1 to 64
Type: Integer
Required: No
- HttpTokens
-
IMDSv2 uses token-backed sessions. Set the use of HTTP tokens to
optional
(in other words, set the use of IMDSv2 tooptional
) orrequired
(in other words, set the use of IMDSv2 torequired
).-
optional
- When IMDSv2 is optional, you can choose to retrieve instance metadata with or without a session token in your request. If you retrieve the IAM role credentials without a token, the IMDSv1 role credentials are returned. If you retrieve the IAM role credentials using a valid session token, the IMDSv2 role credentials are returned. -
required
- When IMDSv2 is required, you must send a session token with any instance metadata retrieval requests. In this state, retrieving the IAM role credentials always returns IMDSv2 credentials; IMDSv1 credentials are not available.
Default:
optional
Type: String
Valid Values:
optional | required
Required: No
-
- InstanceId
-
The ID of the instance.
Type: String
Required: Yes
- InstanceMetadataTags
-
Set to
enabled
to allow access to instance tags from the instance metadata. Set todisabled
to turn off access to instance tags from the instance metadata. For more information, see Work with instance tags using the instance metadata.Default:
disabled
Type: String
Valid Values:
disabled | enabled
Required: No
Response Elements
The following elements are returned by the service.
- instanceId
-
The ID of the instance.
Type: String
- instanceMetadataOptions
-
The metadata options for the instance.
Type: InstanceMetadataOptionsResponse object
- requestId
-
The ID of the request.
Type: String
Errors
For information about the errors that are common to all actions, see Common client error codes.
Examples
Example 1: Turn on token requirement
The following example disables access to the instance metadata unless a
session token is used in the instance metadata request header. To turn on token
requirement, specify required
for HttpTokens
.
Sample Request
https://ec2.amazonaws.com/?Action=ModifyInstanceMetadataOptions
&InstanceId=i-1234567890abcdef0
&HttpTokens=required
&AUTHPARAMS
Sample Response
<ModifyInstanceMetadataOptions xmlns="http://ec2.amazonaws.com/doc/2016-11-15/">
<requestId>59dbff89-35bd-4eac-99ed-be587EXAMPLE</requestId>
<instanceId>i-1234567890abcdef0</instanceId>
<MetadataOptions>
<state>pending</state>
<HttpTokens>required</HttpTokens>
<HttpPutResponseHopLimit>1</HttpPutResponseHopLimit>
<HttpEndpoint>enabled</HttpEndpoint>
</MetadataOptions>
</ModifyInstanceMetadataOptions>
Example 2: Turn off access to instance metadata
The following example disables access to the instance metadata by changing the
HTTP endpoint state to disabled. To turn off access to instance metadata,
specify disabled
for HttpEndpoint
.
Sample Request
https://ec2.amazonaws.com/?Action=ModifyInstanceMetadataOptions
&InstanceId=i-1234567890abcdef0
&HttpEndpoint=disabled
&AUTHPARAMS
Sample Response
<ModifyInstanceMetadataOptions xmlns="http://ec2.amazonaws.com/doc/2016-11-15/">
<requestId>59dbff89-35bd-4eac-99ed-be587EXAMPLE</requestId>
<instanceId>i-1234567890abcdef0</instanceId>
<MetadataOptions>
<state>pending</state>
<HttpTokens>required</HttpTokens>
<HttpPutResponseHopLimit>1</HttpPutResponseHopLimit>
<HttpEndpoint>disabled</HttpEndpoint>
</MetadataOptions>
</ModifyInstanceMetadataOptions>
See Also
For more information about using this API in one of the language-specific AWS SDKs, see the following: