IMDSv2 Support

I am writing to inquire about the support of IMDSv2 through instance profiles in Discourse. We are in the process of migrating our service to use IMDSv2, as IMDSv1 is not an secure option.

We would like to understand if Discourse currently supports IMDSv2 through instance profiles and if not, what are the plans to support it in the near future. Additionally, are there any workarounds or patches available that would allow us to use IMDSv2 with Discourse?

It is important for us to ensure that our security requirements are met, and we believe that using temporary credentials through IMDSv2 is a critical aspect of that.

Desired behavior for accessing security credentials provided through the instance profile is

  • An application on the instance retrieves the security credentials provided by the role from the instance metadata item iam/security-credentials/ role-name.
  • The application is granted the permissions for the actions and resources that we have defined for the role through the security credentials associated with the role. These security credentials are temporary and are rotated automatically. We make new credentials available at least five minutes before the expiration of the old credentials.

We have noted that there are differences between the IMDSv1 and IMDSv2 calls.

IMDSv1 call:


While the IMDSv2 call requires the use of a metadata token, and can be made using the following commands:

TOKEN=`curl -X PUT "<>" -H "X-aws-ec2-metadata-token-ttl-seconds: 21600"` \\\\\\\\
&& curl -H "X-aws-ec2-metadata-token: $TOKEN" -v <>

We would appreciate any information you can provide on how we can use IMDSv2 with Discourse, or if there are any workarounds or patches available.


I’m not aware of any way that Discourse itself uses IMDS. Have you installed Discourse on AWS somehow? Are you somehow using IMDSv1 with Discourse already?

What is your use case?

I found one related code.

This is in the testing spec.

Discourse uses a version of the AWS SDK (3.130.2) above the minimum required to support IMDSv2 and from what I can tell looking at the MetadataNoToken metric in our AWS deployments, we have no calls to IMDSv1.

From what I can tell we’re already using IMDSv2 everywhere.