Please note, when uploading EKS logs by executing the SSM document AWSSupport-CollectEKSInstanceLogs. Currently the SSM document requires the EC2 instance to use Metadata v1, when the recommended security best practice is to use Metadata v2 whenever possible.
You can confirm that the instance requires Metadata v2 by running:
aws ec2 describe-instances --instance-ids <Instance ID> | grep HttpTokens
When IMDSv2 is required, you must send a session token with any instance metadata retrieval requests.
In this state, retrieving the IAM role credentials always returns IMDSv2 credentials; IMDSv1 credentials are not available.
You need to follow a workaround in order to run the SSM document targeting instances which requires Metadata v2 ,
Select the automation AWSSupport-CollectEKSInstanceLogs
Click in Actions -> Clone Document
Replace the line:
"region=$(curl -s http://169.254.169.254/latest/meta-data/placement/availability-zone | sed 's/\\(.*\\)[a-z]/\\1/')",
"imds_token=$(curl -X PUT \"http://169.254.169.254/latest/api/token\" -H \"X-aws-ec2-metadata-token-ttl-seconds: 360\")",
"region=$(curl -H \"X-aws-ec2-metadata-token: $imds_token\" -f -s --max-time 10 --retry 5 http://169.254.169.254/latest/meta-data/placement/region)",
Click in Create Automation Execute the new Automation Copy-AWSSupport-CollectEKSInstanceLogs
I can confirm there is already a issue opened to EKS Service Team to update the SSM document AWSSupport-CollectEKSInstanceLogs to use IMDSv2 and I reinforced other customers are requesting this to be fixed.
Thank you for your comment. We'll review and update the Knowledge Center article as needed.
- Generate specific parameters to appear in SNS email notification in CloudWatch Alarm for a Log GroupAccepted Answerasked 9 months ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 2 months ago
- AWS OFFICIALUpdated 3 months ago
- AWS OFFICIALUpdated a year ago