IMDS credential provider
Instance Metadata Service (IMDS) provides data about your instance that you can use to configure or manage the running instance. For more information about the data available, see Work with instance metadata in the Amazon EC2 User Guide. Amazon EC2 provides a local endpoint available to instances that can provide various bits of information to the instance. If the instance has a role attached, it can provide a set of credentials that are valid for that role. The SDKs can use that endpoint to resolve credentials as part of their default credential provider chain. Instance Metadata Service Version 2 (IMDSv2), a more secure version of IMDS that uses a session token, is used by default. If that fails due to a non-retryable condition (HTTP error codes 403, 404, 405), IMDSv1 is used as a fallback.
Configure this functionality by using the following:
AWS_EC2_METADATA_DISABLED
- environment variable-
Whether or not to attempt to use Amazon EC2 Instance Metadata Service (IMDS) to obtain credentials.
Default value:
false
.Valid values:
-
true
– Do not use IMDS to obtain credentials. -
false
– Use IMDS to obtain credentials.
-
ec2_metadata_v1_disabled
- shared AWSconfig
file settingAWS_EC2_METADATA_V1_DISABLED
- environment variableaws.disableEc2MetadataV1
- JVM system property: Java/Kotlin only-
Whether or not to use Instance Metadata Service Version 1 (IMDSv1) as a fallback if IMDSv2 fails.
Note
New SDKs don't support IMDSv1 and, thus, don't support this setting. For details, see table Compatibility with AWS SDKs.
Default value:
false
.Valid values:
-
true
– Do not use IMDSv1 as a fallback. -
false
– Use IMDSv1 as a fallback.
-
ec2_metadata_service_endpoint
- shared AWSconfig
file settingAWS_EC2_METADATA_SERVICE_ENDPOINT
- environment variableaws.ec2MetadataServiceEndpoint
- JVM system property: Java/Kotlin only-
The endpoint of IMDS.
Default value: If
ec2_metadata_service_endpoint_mode
equalsIPv4
, then default endpoint ishttp://169.254.169.254
. Ifec2_metadata_service_endpoint_mode
equalsIPv6
, then default endpoint ishttp://[fd00:ec2::254]
.Valid values: Valid URI.
ec2_metadata_service_endpoint_mode
- shared AWSconfig
file settingAWS_EC2_METADATA_SERVICE_ENDPOINT_MODE
- environment variableaws.ec2MetadataServiceEndpointMode
- JVM system property: Java/Kotlin only-
The endpoint mode of IMDS.
Default value:
IPv4
.Valid values:
IPv4
,IPv6
.
Note
The IMDS credential provider is a part of the Credential provider chain. However, the IMDS credential provider is only checked after several other providers that are in this series. Therefore, if you want your program use this provider's credentials, you must remove other valid credential providers from your configuration or use a different profile. Alternatively, instead of relying on the credential provider chain to automatically discover which provider returns valid credentials, specify the use of the IMDS credential provider in code. You can specify credential sources directly when you create service clients.
Security for IMDS credentials
By default, when the AWS SDK is not configured with valid credentials the SDK will attempt to use the Amazon EC2 Instance
Metadata Service (IMDS) to retrieve credentials for an AWS role. This behavior can be disabled by setting the
AWS_EC2_METADATA_DISABLED
environment variable to true
. This prevents unnecessary network
activity and enhances security on untrusted networks where the Amazon EC2 Instance Metadata Service may be impersonated.
Note
AWS SDK clients configured with valid credentials will never use IMDS to retrieve credentials, regardless of any of these settings.
Disabling use of Amazon EC2 IMDS credentials
How you set this environment variable depends on what operating system is in use as well as whether or not you want the change to be persistent.
Linux and macOS
Customers using Linux or macOS can set this environment variable with the following command:
$ export AWS_EC2_METADATA_DISABLED=true
If you want this setting to be persistent across multiple shell sessions and system restarts, you can add the above
command to your shell profile file, such as .bash_profile
, .zsh_profile
, or
.profile
.
Windows
Customers using Windows can set this environment variable with the following command:
$ set AWS_EC2_METADATA_DISABLED=true
If you want this setting to be persistent across multiple shell sessions and system restarts can use the following command instead:
$ setx AWS_EC2_METADATA_DISABLED=true
Note
The setx command does not apply the value to the current shell session, so you will need to reload or reopen the shell for the change to take effect.
Compatibility with AWS SDKs
The following SDKs support the features and settings described in this topic. Any partial exceptions are noted. Any JVM system property settings are supported by the AWS SDK for Java and the AWS SDK for Kotlin only.
SDK | Supported | Notes or more information |
---|---|---|
AWS CLI v2 | Yes | |
SDK for C++ | Yes | |
SDK for Go V2 (1.x) |
Yes | |
SDK for Go 1.x (V1) | Yes | To use shared config file settings, you must turn on loading from the config file; see Sessions. |
SDK for Java 2.x | Yes | |
SDK for Java 1.x | Partial | JVM system properties: Use com.amazonaws.sdk.disableEc2MetadataV1 instead of
aws.disableEc2MetadataV1 ; aws.ec2MetadataServiceEndpoint and
aws.ec2MetadataServiceEndpointMode not supported. |
SDK for JavaScript 3.x | Yes | |
SDK for JavaScript 2.x | Yes | |
SDK for Kotlin | Yes | Does not use IMDSv1 fallback. |
SDK for .NET 3.x | Yes | |
SDK for PHP 3.x | Yes | |
SDK for Python (Boto3) |
Yes | |
SDK for Ruby 3.x | Yes | |
SDK for Rust | Yes | Does not use IMDSv1 fallback. |
SDK for Swift | Yes | |
Tools for PowerShell | Yes | You can disable IMDSv1 fallback explicitly in code using
[Amazon.Util.EC2InstanceMetadata]::EC2MetadataV1Disabled = $true . |