[英]Unable to SSH into AWS EC2 instance with instance metadata turned off
I am not able to SSH into a EC2 instance if it is launched with the instance metadata service is turned off.如果在关闭实例元数据服务的情况下启动 EC2 实例,我无法将 SSH 放入 EC2 实例中。
ec2.runInstances({ ... MetadataOptions: {
HttpEndpoint: 'disabled'..
})
This however is not an issue if I launch with the MetadataOptions enabled and disable it with a modify-instance-metadata-options
call after the instance has finished starting up.但是,如果我在启用 MetadataOptions 的情况下启动并在实例完成启动后通过
modify-instance-metadata-options
调用禁用它,这不是问题。 Is this documented behaviour?这是记录在案的行为吗? I couldn't find it explicitly mentioned in the documentation anywhere.
我在任何地方的文档中都找不到明确提到它。
Note - this is not a security group, Network ACL, etc issue.注意 - 这不是安全组、网络 ACL 等问题。
I noticed this too.我也注意到了这一点。 It seems that disabling IMDS breaks all of the following:
似乎禁用 IMDS 会破坏以下所有内容:
authorized_keys
file for the default user (ie root or ubuntu) is not populated because the EC2 Key Pair is normally provided in instance metadata.authorized_keys
文件未填充,因为 EC2 密钥对通常在实例元数据中提供。http://instance-data.:8773
but this is unavailable when IMDS is disabled.http://instance-data.:8773
上可用,但在禁用 IMDS 时不可用。 Therefore, if your desire is to disable IMDS from the moment of launch, it seems the only viable workaround is to create your own AMI that has your own configuration (ie. SSH authorized_keys) backed into it.因此,如果您希望从启动的那一刻起禁用 IMDS,似乎唯一可行的解决方法是创建您自己的 AMI,并将您自己的配置(即 SSH authorized_keys)备份到其中。 Packer is commonly used for building AMIs in this way.
Packer通常用于以这种方式构建 AMI。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.