When we move an EC2 instance from one subnet to another or to another availability zone the EC2 Metadata Service stops working on the instance. We get the error message:
Unable to get IAM security credentials from EC2 Instance Metadata Service.
To enable the EC2 Metadata Service again, we need to update the routing configuration on the instance. Follow the steps at
As a summary:
Check the Gateway Address matches the IP address range of the subnet. In a PowerShell window execute:
route print Persistent Routes: Network Address Netmask Gateway Address Metric 169.254.169.254 255.255.255.255 10.254.79.1 15
It should belong to the IPv4 CIDR of the subnet
If the Gateway Address does not belong to the IP address range of the subnet
- Confirm that the latest version of EC2Config (Windows Server 2012R2 and earlier) or EC2Launch (Windows Server 2016 or later) is installed on the instance.
- To apply the route to the instance, restart the EC2Config service (on Windows Server 2012R2 and earlier), or run the following command from an elevated PowerShell session (on Windows Server 2016 or later):
Import-Module c:\ProgramData\Amazon\EC2-Windows\Launch\Module\Ec2Launch.psm1 ; Add-Routes