IMDS credential provider - AWS SDKs and Tools

IMDS credential provider

Instance Metadata Service (IMDS) provides data about your instance that you can use to configure or manage the running instance. For more information about the data available, see Work with instance metadata in the Amazon EC2 User Guide. Amazon EC2 provides a local endpoint available to instances that can provide various bits of information to the instance. If the instance has a role attached, it can provide a set of credentials that are valid for that role. The SDKs can use that endpoint to resolve credentials as part of their default credential provider chain. Instance Metadata Service Version 2 (IMDSv2), a more secure version of IMDS that uses a session token, is used by default. If that fails due to a non-retryable condition (HTTP error codes 403, 404, 405), IMDSv1 is used as a fallback.

Configure this functionality by using the following:

AWS_EC2_METADATA_DISABLED - environment variable

Whether or not to attempt to use Amazon EC2 Instance Metadata Service (IMDS) to obtain credentials.

Default value: false.

Valid values:

  • true – Do not use IMDS to obtain credentials.

  • false – Use IMDS to obtain credentials.

ec2_metadata_v1_disabled - shared AWS config file setting
AWS_EC2_METADATA_V1_DISABLED - environment variable
aws.disableEc2MetadataV1 - JVM system property: Java/Kotlin only

Whether or not to use Instance Metadata Service Version 1 (IMDSv1) as a fallback if IMDSv2 fails.

Note

New SDKs don't support IMDSv1 and, thus, don't support this setting. For details, see table Compatibility with AWS SDKs.

Default value: false.

Valid values:

  • true – Do not use IMDSv1 as a fallback.

  • false – Use IMDSv1 as a fallback.

ec2_metadata_service_endpoint - shared AWS config file setting
AWS_EC2_METADATA_SERVICE_ENDPOINT - environment variable
aws.ec2MetadataServiceEndpoint - JVM system property: Java/Kotlin only

The endpoint of IMDS.

Default value: If ec2_metadata_service_endpoint_mode equals IPv4, then default endpoint is http://169.254.169.254. If ec2_metadata_service_endpoint_mode equals IPv6, then default endpoint is http://[fd00:ec2::254].

Valid values: Valid URI.

ec2_metadata_service_endpoint_mode - shared AWS config file setting
AWS_EC2_METADATA_SERVICE_ENDPOINT_MODE - environment variable
aws.ec2MetadataServiceEndpointMode - JVM system property: Java/Kotlin only

The endpoint mode of IMDS.

Default value:IPv4.

Valid values: IPv4, IPv6.

Note

The IMDS credential provider is a part of the Credential provider chain. However, the IMDS credential provider is only checked after several other providers that are in this series. Therefore, if you want your program use this provider's credentials, you must remove other valid credential providers from your configuration or use a different profile. Alternatively, instead of relying on the credential provider chain to automatically discover which provider returns valid credentials, specify the use of the IMDS credential provider in code. You can specify credential sources directly when you create service clients.

Security for IMDS credentials

By default, when the AWS SDK is not configured with valid credentials the SDK will attempt to use the Amazon EC2 Instance Metadata Service (IMDS) to retrieve credentials for an AWS role. This behavior can be disabled by setting the AWS_EC2_METADATA_DISABLED environment variable to true. This prevents unnecessary network activity and enhances security on untrusted networks where the Amazon EC2 Instance Metadata Service may be impersonated.

Note

AWS SDK clients configured with valid credentials will never use IMDS to retrieve credentials, regardless of any of these settings.

Disabling use of Amazon EC2 IMDS credentials

How you set this environment variable depends on what operating system is in use as well as whether or not you want the change to be persistent.

Linux and macOS

Customers using Linux or macOS can set this environment variable with the following command:

$ export AWS_EC2_METADATA_DISABLED=true

If you want this setting to be persistent across multiple shell sessions and system restarts, you can add the above command to your shell profile file, such as .bash_profile, .zsh_profile, or .profile.

Windows

Customers using Windows can set this environment variable with the following command:

$ set AWS_EC2_METADATA_DISABLED=true

If you want this setting to be persistent across multiple shell sessions and system restarts can use the following command instead:

$ setx AWS_EC2_METADATA_DISABLED=true
Note

The setx command does not apply the value to the current shell session, so you will need to reload or reopen the shell for the change to take effect.

Compatibility with AWS SDKs

The following SDKs support the features and settings described in this topic. Any partial exceptions are noted. Any JVM system property settings are supported by the AWS SDK for Java and the AWS SDK for Kotlin only.

SDK Supported Notes or more information
AWS CLI v2 Yes
SDK for C++ Yes
SDK for Go V2 (1.x) Yes
SDK for Go 1.x (V1) Yes To use shared config file settings, you must turn on loading from the config file; see Sessions.
SDK for Java 2.x Yes
SDK for Java 1.x Partial JVM system properties: Use com.amazonaws.sdk.disableEc2MetadataV1 instead of aws.disableEc2MetadataV1; aws.ec2MetadataServiceEndpoint and aws.ec2MetadataServiceEndpointMode not supported.
SDK for JavaScript 3.x Yes
SDK for JavaScript 2.x Yes
SDK for Kotlin Yes Does not use IMDSv1 fallback.
SDK for .NET 3.x Yes
SDK for PHP 3.x Yes
SDK for Python (Boto3) Yes
SDK for Ruby 3.x Yes
SDK for Rust Yes Does not use IMDSv1 fallback.
SDK for Swift Yes
Tools for PowerShell Yes You can disable IMDSv1 fallback explicitly in code using [Amazon.Util.EC2InstanceMetadata]::EC2MetadataV1Disabled = $true.