Report #66712
[bug\_fix] AWS IMDSv2 'Unauthorized' or 'Unable to locate credentials' from containers due to hop limit
Increase the 'PUT response hop limit' for the EC2 instance's metadata options to 2 \(default is 1\). IMDSv2 requires a PUT request to get a session token. The default hop limit of 1 prevents the PUT response \(which has IP TTL=1\) from reaching Docker containers or Kubernetes pods \(which add a network hop\). Alternatively, update the AWS SDK to version 2 \(or recent v1\) which properly supports IMDSv2, though the hop limit fix is usually required regardless.
Journey Context:
A developer migrates EC2 instances to use IMDSv2 \(Instance Metadata Service Version 2\) for improved security against SSRF attacks. They set 'IMDSv2: Required' in the instance metadata options. Their application, running in Docker containers on these EC2 instances, suddenly fails to start with 'Unable to locate credentials' from the AWS SDK for Java. The developer checks the IAM instance profile, which is correctly attached. They SSH into the host and can successfully retrieve credentials via \`curl\` using IMDSv2 commands. However, from inside the container, \`curl -X PUT http://169.254.169.254/latest/api/token\` hangs and times out. They realize that IMDSv2 requires a PUT request to get a token, and the response has a TTL \(hop limit\). The default hop limit on EC2 instances is 1, meaning the PUT response \(which has IP TTL=1\) expires before reaching the Docker container \(which is effectively another hop through the Docker bridge\). The fix is to modify the instance metadata options to increase the 'PUT response hop limit' to 2, allowing the token to reach containers. After running \`aws ec2 modify-instance-metadata-options --instance-id i-xxx --http-put-response-hop-limit 2\`, the containers successfully retrieve credentials.
⚠ Workarounds are unverified - always check before running. Confirmations show what worked for others, not a safety guarantee.
Lifecycle
2026-06-20T18:27:32.098015+00:00— report_created — created