SSM agent fails working on EC2 post IDMSV2

Question

I'm on a Windows server. I had to relaunch an instance from a snapshot of another instance that might have been in a different availability zone. One other change is that I've enabled imdsv2 on the EC2 by updating the launch configuration earlier while creating the new instance.

The SSM Agent on this instance is failing with this error -

caused by: Get "http://169.254.169.254/latest/meta-data/instance-id": context deadline exceeded (Client.Timeout exceeded while awaiting headers)
2023-03-08 05:29:34 ERROR [newAgentIdentityInner @ identity_selector.go.99] Agent failed to assume any identity
2023-03-08 05:29:34 ERROR [NewAgentIdentity @ identity_selector.go.112] failed to find identity, retrying: failed to find agent identity
2023-03-08 05:29:41 ERROR [NewEC2Identity @ ec2_identity.go.281] [EC2Identity] failed to get identity instance id. Error: RequestError: send request failed

I don't have access to the EC2 on the CLI, so I cannot use the ec2 describe-instance CLI command mentioned in Use SSM Agent logs to troubleshoot issues in your managed instance to check if instance metadata is enabled. I know it was. And there isn't any proxy required.

This issue on GitHub is somewhat similar to mine but I don't understand what I need to do to fix this.

Answer 1

I actually found my answer. As mentioned in this video by Amazon, the routes for 169.254.169.254 were pointing to the incorrect gateway of the different subnet.

This issue was resolved by running Import-Module C:\ProgramData\Amazon\EC2-Windows\Launch\Module\Ec2Launch.psm1; Add-Routes on PowerShell as administrator.