无法在实例元数据关闭的情况下将 SSH 插入 AWS EC2 实例
[英]Unable to SSH into AWS EC2 instance with instance metadata turned off
问题描述
I am not able to SSH into a EC2 instance if it is launched with the instance metadata service is turned off.
如果在关闭实例元数据服务的情况下启动 EC2 实例,我无法将 SSH 放入 EC2 实例中。
ec2.runInstances({ ... MetadataOptions: {
HttpEndpoint: 'disabled'..
})
This however is not an issue if I launch with the MetadataOptions enabled and disable it with a modify-instance-metadata-options call after the instance has finished starting up.但是,如果我在启用 MetadataOptions 的情况下启动并在实例完成启动后通过modify-instance-metadata-options调用禁用它,这不是问题。 Is this documented behaviour?这是记录在案的行为吗? I couldn't find it explicitly mentioned in the documentation anywhere.我在任何地方的文档中都找不到明确提到它。
Note - this is not a security group, Network ACL, etc issue.注意 - 这不是安全组、网络 ACL 等问题。
1 个解决方案
解决方案1
0 2022-01-30 19:15:19
I noticed this too.我也注意到了这一点。 It seems that disabling IMDS breaks all of the following:似乎禁用 IMDS 会破坏以下所有内容:
- SSH access is broken; SSH 访问中断; the
authorized_keysfile for the default user (ie root or ubuntu) is not populated because the EC2 Key Pair is normally provided in instance metadata.默认用户(即 root 或 ubuntu)的authorized_keys文件未填充,因为 EC2 密钥对通常在实例元数据中提供。 - Cloud-init/Cloud-config (aka "userdata") do not run. Cloud-init/Cloud-config(又名“userdata”)不运行。 The user data is normally made available at
http://instance-data.:8773but this is unavailable when IMDS is disabled.用户数据通常在http://instance-data.:8773上可用,但在禁用 IMDS 时不可用。
Therefore, if your desire is to disable IMDS from the moment of launch, it seems the only viable workaround is to create your own AMI that has your own configuration (ie. SSH authorized_keys) backed into it.因此,如果您希望从启动的那一刻起禁用 IMDS,似乎唯一可行的解决方法是创建您自己的 AMI,并将您自己的配置(即 SSH authorized_keys)备份到其中。 Packer is commonly used for building AMIs in this way. Packer通常用于以这种方式构建 AMI。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.