Expose IMDS Client Command

[commiterate]

Describe the feature

Expose a command for IMDS requests (e.g. aws imds get --path /latest/user-data) which automatically handles IMDS session token fetching + caching.

Use Case

Shell scripts are often used to set up EC2 instances manually (e.g. via SSH or SSM sessions) or automatically (e.g. EC2 user data scripts, CodeDeploy Agent hooks, SSM documents). They are also used for simple on-instance EC2 Auto Scaling lifecycle hook daemons (e.g. systemd service units).

These may need to fetch data from IMDS (e.g. user data, auto scaling target lifecycle state).

Today, this requires using curl to manually fetch IMDS session tokens for use in subsequent get requests.

Proposed Solution

The AWS SDKs implement an IMDS client. This is used to support IMDS region + credentials providers.

Some AWS SDKs expose the IMDS client to let users make IMDS calls without having to worry about fetching + caching session tokens. For example:

• AWS SDK for Go v2
• AWS SDK for Java 2.x
• AWS SDK for Ruby v3
• AWS SDK for Rust 0.x (via aws_config 1.x)

The idea is to do the same for the AWS SDK for Python (boto) and the AWS CLI.

1. Update botocore to make the IMDSFetcher or a similar class expose a general-purpose public get() method.
2. Add a CLI for the general-purpose public get() method.

Tangent: Rather than manually write an IMDS client in all AWS SDKs, is there a Smithy (or its internal predecessor) model describing IMDS which can be fed into the Smithy code generators?

This would probably need a new Smithy protocol like aws.protocols#imds2.

(cc: @mtdowling)

Other Information

No response

Acknowledgements

• I may be able to implement this feature request
• This feature might incur a breaking change

CLI version used

2.*

Environment details (OS name and version, etc.)

All