Closed leonblueconic closed 3 years ago
100% agree as I'm facing the same issue. It's near impossible to audit for metadata v1 usage with all the noise the SSM Agent is producing.
Thanks for reaching us. We will work on this request soon
A fix for this has been merged in agent release 3.0.431.0
In order to see which instances are ready to be switched to the IMDSv2 you can use MetadataNoToken cloudwatch metric and make sure no one is still using the metada service without a token. As the amazon-ssm-agent still tries to access the the metadata service without a token first these will show up in the metric first. Making the metric basically pointless. I feels it would make sense to switch the calls in agent/platform/instance_metadata.go function ReadResource to first try readResourceFromMetaDataV2 and then readResourceFromMetaDataV1