search

aws / amazon-ssm-agent

An agent to enable remote management of your EC2 instances, on-premises servers, or virtual machines (VMs).
https://aws.amazon.com/systems-manager/
Apache License 2.0
1.05k stars 323 forks source link

Switch to trying IMDSv2 first #319

Closed leonblueconic closed 3 years ago

leonblueconic commented 3 years ago

In order to see which instances are ready to be switched to the IMDSv2 you can use MetadataNoToken cloudwatch metric and make sure no one is still using the metada service without a token. As the amazon-ssm-agent still tries to access the the metadata service without a token first these will show up in the metric first. Making the metric basically pointless. I feels it would make sense to switch the calls in agent/platform/instance_metadata.go function ReadResource to first try readResourceFromMetaDataV2 and then readResourceFromMetaDataV1

rjenks commented 3 years ago

100% agree as I'm facing the same issue. It's near impossible to audit for metadata v1 usage with all the noise the SSM Agent is producing.

VishnuKarthikRavindran commented 3 years ago

Thanks for reaching us. We will work on this request soon

Thor-Bjorgvinsson commented 3 years ago

A fix for this has been merged in agent release 3.0.431.0