Unable to SSH into AWS EC2 instance with instance metadata turned off

Question

I am not able to SSH into a EC2 instance if it is launched with the instance metadata service is turned off.

ec2.runInstances({ ... MetadataOptions: {
  HttpEndpoint: 'disabled'..
})

This however is not an issue if I launch with the MetadataOptions enabled and disable it with a modify-instance-metadata-options call after the instance has finished starting up. Is this documented behaviour? I couldn't find it explicitly mentioned in the documentation anywhere.

Note - this is not a security group, Network ACL, etc issue.

Answer 1

I noticed this too. It seems that disabling IMDS breaks all of the following:

• SSH access is broken; the authorized_keys file for the default user (ie root or ubuntu) is not populated because the EC2 Key Pair is normally provided in instance metadata.
• Cloud-init/Cloud-config (aka "userdata") do not run. The user data is normally made available at http://instance-data.:8773 but this is unavailable when IMDS is disabled.

Therefore, if your desire is to disable IMDS from the moment of launch, it seems the only viable workaround is to create your own AMI that has your own configuration (ie. SSH authorized_keys) backed into it. Packer is commonly used for building AMIs in this way.