fix: Pass token to metadata service requests.

close: #476

template/eip.tpl

@@ -6,5 +6,5 @@ python3 get-pip.py --user
 export PATH=~/.local/bin:$PATH
 
 pip install aws-ec2-assign-elastic-ip
-export AWS_DEFAULT_REGION=$(curl -s http://169.254.169.254/latest/dynamic/instance-identity/document | grep region | awk -F\" '{print $4}')
+export AWS_DEFAULT_REGION=$(curl -s -H "X-aws-ec2-metadata-token: $token" http://169.254.169.254/latest/dynamic/instance-identity/document | grep region | awk -F\" '{print $4}')
 /usr/local/bin/aws-ec2-assign-elastic-ip --valid-ips ${eip}

template/logging.tpl

@@ -33,11 +33,11 @@ initial_position = start_of_file
 EOF
 
 # Set the region to send CloudWatch Logs data to (the region where the instance is located)
-region=$(curl -s 169.254.169.254/latest/dynamic/instance-identity/document | jq -r .region)
+region=$(curl -s -H "X-aws-ec2-metadata-token: $token" http://169.254.169.254/latest/dynamic/instance-identity/document | jq -r .region)
 sed -i -e "s/region = us-east-1/region = $region/g" /etc/awslogs/awscli.conf
 
 # Replace instance id.
-instanceId=$(curl -s 169.254.169.254/latest/dynamic/instance-identity/document | jq -r .instanceId)
+instanceId=$(curl -s -H "X-aws-ec2-metadata-token: $token" http://169.254.169.254/latest/dynamic/instance-identity/document | jq -r .instanceId)
 sed -i -e "s/{instanceId}/$instanceId/g" /etc/awslogs/awslogs.conf
 
 if grep -q ':2$' /etc/system-release-cpe  ; then

template/user-data.tpl

@@ -10,6 +10,8 @@ tee /etc/hosts <<EOL
 127.0.0.1   localhost localhost.localdomain $(hostname)
 EOL
 
+token=$(curl -f -X PUT "http://169.254.169.254/latest/api/token" -H "X-aws-ec2-metadata-token-ttl-seconds: 300")
+
 ${eip}
 
 for i in {1..7}; do