Use the base64-encoded signature to verify the instance identity document
This topic explains how to verify the instance identity document using the base64-encoded signature and the AWS RSA public certificate.
To validate the instance identity document using the base64-encoded signature and the AWS RSA public certificate
-
Connect to the instance.
-
Retrieve the base64-encoded signature from the instance metadata, convert it to binary, and add it to a file named
signature
. Use one of the following commands depending on the IMDS version used by the instance. -
Retrieve the plaintext instance identity document from the instance metadata and add it to a file named
document
. Use one of the following commands depending on the IMDS version used by the instance. -
Find the RSA public certificate for your Region in AWS public certificates and add the contents to a new file named
certificate
. -
Extract the public key from the AWS RSA public certificate and save it to a file named
key
.$
openssl x509 -pubkey -noout -incertificate
>>key
-
Use OpenSSL dgst command to verify the instance identity document.
$
openssl dgst -sha256 -verifykey
-signaturesignature
document
If the signature is valid, the
Verification successful
message appears.The command also writes the contents of the instance identity document to a new file named
document
. You can compare the contents of the of the instance identity document from the instance metadata with the contents of this file using the following commands.$
openssl dgst -sha256 <document
$
curl -s -H "X-aws-ec2-metadata-token: $TOKEN" http://169.254.169.254/latest/dynamic/instance-identity/document | openssl dgst -sha256If the signature cannot be verified, contact AWS Support.