Use the base64-encoded signature to verify the instance identity document - Amazon Elastic Compute Cloud
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Use the base64-encoded signature to verify the instance identity document

This topic explains how to verify the instance identity document using the base64-encoded signature and the Amazon RSA public certificate.

To validate the instance identity document using the base64-encoded signature and the Amazon RSA public certificate

  1. Connect to the instance.

  2. Retrieve the base64-encoded signature from the instance metadata, convert it to binary, and add it to a file named signature. Use one of the following commands depending on the IMDS version used by the instance.

    IMDSv2
    $ TOKEN=`curl -X PUT "http://169.254.169.254/latest/api/token" -H "X-aws-ec2-metadata-token-ttl-seconds: 21600"` \
&& curl -H "X-aws-ec2-metadata-token: $TOKEN" http://169.254.169.254/latest/dynamic/instance-identity/signature | base64 -d >> signature
    IMDSv1
    $ curl -s http://169.254.169.254/latest/dynamic/instance-identity/signature | base64 -d >> signature

  3. Retrieve the plaintext instance identity document from the instance metadata and add it to a file named document. Use one of the following commands depending on the IMDS version used by the instance.

    IMDSv2
    $ TOKEN=`curl -X PUT "http://169.254.169.254/latest/api/token" -H "X-aws-ec2-metadata-token-ttl-seconds: 21600"` \
&& curl -H "X-aws-ec2-metadata-token: $TOKEN" http://169.254.169.254/latest/dynamic/instance-identity/document >> document
    IMDSv1
    $ curl -s http://169.254.169.254/latest/dynamic/instance-identity/document >> document

  4. Find the RSA public certificate for your Region in Amazon public certificates and add the contents to a new file named certificate.

  5. Extract the public key from the Amazon RSA public certificate and save it to a file named key.

    $ openssl x509 -pubkey -noout -in certificate >> key

  6. Use OpenSSL dgst command to verify the instance identity document.

    $ openssl dgst -sha256 -verify key -signature signature document

    If the signature is valid, the Verification successful message appears.

    The command also writes the contents of the instance identity document to a new file named document. You can compare the contents of the of the instance identity document from the instance metadata with the contents of this file using the following commands.

    $ openssl dgst -sha256 < document
    $ curl -s -H "X-aws-ec2-metadata-token: $TOKEN" http://169.254.169.254/latest/dynamic/instance-identity/document | openssl dgst -sha256

    If the signature cannot be verified, contact Amazon Web Services Support.