diff --git a/SOURCES/bz1905587-aws-add-imdsv2-support.patch b/SOURCES/bz1905587-aws-add-imdsv2-support.patch
new file mode 100644
index 0000000..09772cc
--- /dev/null
+++ b/SOURCES/bz1905587-aws-add-imdsv2-support.patch
@@ -0,0 +1,97 @@
+From 8f10d0eb1e33d38ab6e89015a903620c54edd7c1 Mon Sep 17 00:00:00 2001
+From: Oyvind Albrigtsen <oalbrigt@redhat.com>
+Date: Fri, 13 Nov 2020 16:36:20 +0100
+Subject: [PATCH] AWS agents: add support for IMDSv2
+
+---
+ heartbeat/aws-vpc-move-ip    | 5 +++--
+ heartbeat/aws-vpc-route53.in | 3 ++-
+ heartbeat/awseip             | 9 +++++----
+ heartbeat/awsvip             | 7 ++++---
+ 4 files changed, 14 insertions(+), 10 deletions(-)
+
+diff --git a/heartbeat/aws-vpc-move-ip b/heartbeat/aws-vpc-move-ip
+index 72a89ecb1..cbb629b00 100755
+--- a/heartbeat/aws-vpc-move-ip
++++ b/heartbeat/aws-vpc-move-ip
+@@ -215,7 +215,8 @@ ec2ip_validate() {
+ 		return $OCF_ERR_CONFIGURED
+ 	fi
+ 
+-	EC2_INSTANCE_ID="$(curl -s http://169.254.169.254/latest/meta-data/instance-id)"
++	TOKEN=$(curl -X PUT "http://169.254.169.254/latest/api/token" -H "X-aws-ec2-metadata-token-ttl-seconds: 21600")
++	EC2_INSTANCE_ID=$(curl -s http://169.254.169.254/latest/meta-data/instance-id -H "X-aws-ec2-metadata-token: $TOKEN")
+ 
+ 	if [ -z "${EC2_INSTANCE_ID}" ]; then
+ 		ocf_exit_reason "Instance ID not found. Is this a EC2 instance?"
+@@ -329,7 +330,7 @@ ec2ip_get_instance_eni() {
+ 	fi
+ 	ocf_log debug "MAC address associated with interface ${OCF_RESKEY_interface}: ${MAC_ADDR}"
+ 
+-	cmd="curl -s http://169.254.169.254/latest/meta-data/network/interfaces/macs/${MAC_ADDR}/interface-id"
++	cmd="curl -s http://169.254.169.254/latest/meta-data/network/interfaces/macs/${MAC_ADDR}/interface-id -H \"X-aws-ec2-metadata-token: $TOKEN\""
+ 	ocf_log debug "executing command: $cmd"
+ 	EC2_NETWORK_INTERFACE_ID="$(eval $cmd)"
+ 	rc=$?
+diff --git a/heartbeat/aws-vpc-route53.in b/heartbeat/aws-vpc-route53.in
+index b06b93726..4fb17019b 100644
+--- a/heartbeat/aws-vpc-route53.in
++++ b/heartbeat/aws-vpc-route53.in
+@@ -347,7 +347,8 @@ r53_monitor() {
+ _get_ip() {
+ 	case $OCF_RESKEY_ip in
+ 		local|public)
+-			IPADDRESS="$(curl -s http://169.254.169.254/latest/meta-data/${OCF_RESKEY_ip}-ipv4)";;
++			TOKEN=$(curl -X PUT "http://169.254.169.254/latest/api/token" -H "X-aws-ec2-metadata-token-ttl-seconds: 21600")
++			IPADDRESS=$(curl -s http://169.254.169.254/latest/meta-data/${OCF_RESKEY_ip}-ipv4 -H "X-aws-ec2-metadata-token: $TOKEN");;
+ 		*.*.*.*)
+ 			IPADDRESS="${OCF_RESKEY_ip}";;
+ 	esac
+diff --git a/heartbeat/awseip b/heartbeat/awseip
+index 445a03666..de1967774 100755
+--- a/heartbeat/awseip
++++ b/heartbeat/awseip
+@@ -149,12 +149,12 @@ awseip_start() {
+     awseip_monitor && return $OCF_SUCCESS
+ 
+     if [ -n "${PRIVATE_IP_ADDRESS}" ]; then
+-        NETWORK_INTERFACES_MACS="$(curl -s http://169.254.169.254/latest/meta-data/network/interfaces/macs/)"
++        NETWORK_INTERFACES_MACS=$(curl -s http://169.254.169.254/latest/meta-data/network/interfaces/macs/ -H "X-aws-ec2-metadata-token: $TOKEN")
+         for MAC in ${NETWORK_INTERFACES_MACS}; do
+-            curl -s http://169.254.169.254/latest/meta-data/network/interfaces/macs/${MAC}/local-ipv4s |
++            curl -s http://169.254.169.254/latest/meta-data/network/interfaces/macs/${MAC}/local-ipv4s -H "X-aws-ec2-metadata-token: $TOKEN" |
+                 grep -q "^${PRIVATE_IP_ADDRESS}$"
+             if [ $? -eq 0 ]; then
+-                NETWORK_ID="$(curl -s http://169.254.169.254/latest/meta-data/network/interfaces/macs/${MAC}/interface-id)"
++                NETWORK_ID=$(curl -s http://169.254.169.254/latest/meta-data/network/interfaces/macs/${MAC}/interface-id -H "X-aws-ec2-metadata-token: $TOKEN")
+             fi
+         done
+         $AWSCLI --profile $OCF_RESKEY_profile ec2 associate-address  \
+@@ -244,7 +244,8 @@ AWSCLI="${OCF_RESKEY_awscli}"
+ ELASTIC_IP="${OCF_RESKEY_elastic_ip}"
+ ALLOCATION_ID="${OCF_RESKEY_allocation_id}"
+ PRIVATE_IP_ADDRESS="${OCF_RESKEY_private_ip_address}"
+-INSTANCE_ID="$(curl -s http://169.254.169.254/latest/meta-data/instance-id)"
++TOKEN=$(curl -X PUT "http://169.254.169.254/latest/api/token" -H "X-aws-ec2-metadata-token-ttl-seconds: 21600")
++INSTANCE_ID=$(curl -s http://169.254.169.254/latest/meta-data/instance-id -H "X-aws-ec2-metadata-token: $TOKEN")
+ 
+ case $__OCF_ACTION in
+     start)
+diff --git a/heartbeat/awsvip b/heartbeat/awsvip
+index 3eb31e6ae..8050107e8 100755
+--- a/heartbeat/awsvip
++++ b/heartbeat/awsvip
+@@ -206,9 +206,10 @@ esac
+ 
+ AWSCLI="${OCF_RESKEY_awscli}"
+ SECONDARY_PRIVATE_IP="${OCF_RESKEY_secondary_private_ip}"
+-INSTANCE_ID="$(curl -s http://169.254.169.254/latest/meta-data/instance-id)"
+-MAC_ADDRESS="$(curl -s http://169.254.169.254/latest/meta-data/mac)"
+-NETWORK_ID="$(curl -s http://169.254.169.254/latest/meta-data/network/interfaces/macs/${MAC_ADDRESS}/interface-id)"
++TOKEN=$(curl -X PUT "http://169.254.169.254/latest/api/token" -H "X-aws-ec2-metadata-token-ttl-seconds: 21600")
++INSTANCE_ID=$(curl -s http://169.254.169.254/latest/meta-data/instance-id -H "X-aws-ec2-metadata-token: $TOKEN")
++MAC_ADDRESS=$(curl -s http://169.254.169.254/latest/meta-data/mac -H "X-aws-ec2-metadata-token: $TOKEN")
++NETWORK_ID=$(curl -s http://169.254.169.254/latest/meta-data/network/interfaces/macs/${MAC_ADDRESS}/interface-id -H "X-aws-ec2-metadata-token: $TOKEN")
+ 
+ case $__OCF_ACTION in
+     start)
diff --git a/SPECS/resource-agents.spec b/SPECS/resource-agents.spec
index 4b87092..126d567 100644
--- a/SPECS/resource-agents.spec
+++ b/SPECS/resource-agents.spec
@@ -70,7 +70,7 @@
 Name:		resource-agents
 Summary:	Open Source HA Reusable Cluster Resource Scripts
 Version:	4.1.1
-Release:	68%{?rcver:%{rcver}}%{?numcomm:.%{numcomm}}%{?alphatag:.%{alphatag}}%{?dirty:.%{dirty}}%{?dist}
+Release:	68%{?rcver:%{rcver}}%{?numcomm:.%{numcomm}}%{?alphatag:.%{alphatag}}%{?dirty:.%{dirty}}%{?dist}.1
 License:	GPLv2+ and LGPLv2+
 URL:		https://github.com/ClusterLabs/resource-agents
 %if 0%{?fedora} || 0%{?centos_version} || 0%{?rhel}
@@ -236,6 +236,7 @@ Patch144:	bz1845574-azure-events-2-import-urlerror-encode-postdata.patch
 Patch145:	bz1846733-gcp-vpc-move-vip-1-support-multiple-alias-ips.patch
 Patch146:	bz1846733-gcp-vpc-move-vip-2-fix-list-sort.patch
 Patch147:	bz1850778-azure-lb-fix-redirect-issue.patch
+Patch148:	bz1905587-aws-add-imdsv2-support.patch
 
 # bundle patches
 Patch1000:	7-gcp-bundled.patch
@@ -532,6 +533,7 @@ exit 1
 %patch145 -p1
 %patch146 -p1
 %patch147 -p1
+%patch148 -p1
 
 chmod 755 heartbeat/nova-compute-wait
 chmod 755 heartbeat/NovaEvacuate
@@ -1095,6 +1097,11 @@ ccs_update_schema > /dev/null 2>&1 ||:
 %endif
 
 %changelog
+* Wed Dec  9 2020 Oyvind Albrigtsen <oalbrigt@redhat.com> - 4.1.1-68.1
+- AWS agents: add support for IMDSv2
+
+  Resolves: rhbz#1905587
+
 * Thu Aug 20 2020 Oyvind Albrigtsen <oalbrigt@redhat.com> - 4.1.1-68
 - azure-lb: fix redirect issue