- Newest
- Most votes
- Most comments
I was able to solve this issue by increasing the HTTP PUT response hop limit. It is mentioned ever so briefly in the Amazon Docs (https://aws.amazon.com/blogs/security/get-the-full-benefits-of-imdsv2-and-disable-imdsv1-across-your-aws-infrastructure/)
If you’re using container services (such as ECS or EKS), you might need a bigger hop limit to help avoid falling back to IMDSv1. You can use the modify-instance-metadata-options launch parameter to make the change. We recommend testing with a hop limit of three in container environments.
By increasing the hop limit from 1 to 2, the container successfully builds using IMDSv2. https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-imagebuilder-infrastructureconfiguration-instancemetadataoptions.html#cfn-imagebuilder-infrastructureconfiguration-instancemetadataoptions-httpputresponsehoplimit
When your Image Builder pipeline runs, it sends HTTP requests to launch EC2 instances for building and testing your image. To configure the version of IMDS (Instance Metadata Service) that your pipeline uses for these launch requests, set the httpTokens parameter in your Image Builder infrastructure configuration instance metadata settings. Keep in mind that enabling IMDSv2 on output AMIs must be done after-the-fact using a ModifyImageAttribute call.
Look at the docs... https://docs.aws.amazon.com/imagebuilder/latest/userguide/security-best-practices.html https://docs.aws.amazon.com/imagebuilder/latest/userguide/troubleshooting.html
Hello,
The error message indicates that the EC2 instance running the EC2 Image Builder component is unable to obtain the necessary IAM credentials from the EC2 Instance Metadata Service (IMDS). This could be due to several reasons, such as the instance not having an IAM role attached, network issues, or misconfiguration.
Did you attach the IAM role to the infrastructure configuration for EC2 builder? https://docs.aws.amazon.com/imagebuilder/latest/userguide/create-infra-config.html
When your Image Builder pipeline runs, it sends HTTP requests to launch EC2 instances that Image Builder uses to build and test your image. To configure the version of IMDS that your pipeline uses for the launch requests, set the httpTokens parameter in your Image Builder infrastructure configuration instance metadata settings.
https://docs.aws.amazon.com/imagebuilder/latest/userguide/security-best-practices.html
The IAM role being used in the infrastructure configuration does have the proper permissions. When settings IMDSv2 to
optional, the pipeline runs as intended. I know where and how to switch this value, but since the best practise is to have IMDSv2 set torequired, there should be a way to have the Build-instance for a container image running with IMDSv2 on. I'm asking for that way.
Relevant content
- asked 10 months ago
- asked 6 months ago
AWS OFFICIALUpdated 3 years ago- AWS OFFICIALUpdated 8 months ago
- AWS OFFICIALUpdated 9 months ago
- AWS OFFICIALUpdated 10 months ago
When building an AMI with IMDSv2 required, I don't have any issues. But when building a container image, I do run into the mentioned issue when IMDSv2 is required. Since it's best practise, there should be a way to have the Build-instance running with IMDSv2 enabled.