diff --git a/backport-AWS-agents-reuse-IMDS-token-until-it-expires-issue-1.patch b/backport-AWS-agents-reuse-IMDS-token-until-it-expires-issue-1.patch
new file mode 100644
index 0000000000000000000000000000000000000000..be974fc6741a0575c6e25cea3aa2787775f2d456
--- /dev/null
+++ b/backport-AWS-agents-reuse-IMDS-token-until-it-expires-issue-1.patch
@@ -0,0 +1,267 @@
+From bfad7ecd6f968c35544dc1d115c32d9730d63267 Mon Sep 17 00:00:00 2001
+From: harshkiprofile <83770157+harshkiprofile@users.noreply.github.com>
+Date: Wed, 6 Nov 2024 14:54:43 +0530
+Subject: [PATCH] AWS agents: reuse IMDS token until it expires (issue #1990)
+ (#1991)
+
+* Introduce a new shell function to reuse IMDS token
+* Utilize the get_token function to reuse the token
+* Move token renewal function to aws.sh for reuse in AWS agent scripts
+---
+ doc/man/Makefile.am          |  2 +-
+ heartbeat/Makefile.am        |  1 +
+ heartbeat/aws-vpc-move-ip    |  7 ++----
+ heartbeat/aws-vpc-route53.in |  7 ++----
+ heartbeat/aws.sh             | 46 ++++++++++++++++++++++++++++++++++++
+ heartbeat/awseip             |  7 ++----
+ heartbeat/awsvip             |  7 ++----
+ heartbeat/ocf-shellfuncs.in  |  2 +-
+ 8 files changed, 57 insertions(+), 22 deletions(-)
+ create mode 100644 heartbeat/aws.sh
+
+diff --git a/doc/man/Makefile.am b/doc/man/Makefile.am
+index ef7639bf..447f5cba 100644
+--- a/doc/man/Makefile.am
++++ b/doc/man/Makefile.am
+@@ -42,7 +42,7 @@ radir			= $(abs_top_builddir)/heartbeat
+ # required for out-of-tree build
+ symlinkstargets		= \
+ 			  ocf-distro ocf.py ocf-rarun ocf-returncodes \
+-			  findif.sh apache-conf.sh http-mon.sh mysql-common.sh \
++			  findif.sh apache-conf.sh aws.sh http-mon.sh mysql-common.sh \
+ 			  nfsserver-redhat.sh openstack-common.sh ora-common.sh
+ 
+ preptree:
+diff --git a/heartbeat/Makefile.am b/heartbeat/Makefile.am
+index 40984797..8352f3a3 100644
+--- a/heartbeat/Makefile.am
++++ b/heartbeat/Makefile.am
+@@ -218,6 +218,7 @@ ocfcommon_DATA		= ocf-shellfuncs 	\
+ 			  ocf-rarun		\
+ 			  ocf-distro		\
+ 			  apache-conf.sh 	\
++			  aws.sh		\
+ 			  http-mon.sh		\
+ 			  sapdb-nosha.sh	\
+ 			  sapdb.sh		\
+diff --git a/heartbeat/aws-vpc-move-ip b/heartbeat/aws-vpc-move-ip
+index 6115e5ba..3aa9ceb0 100755
+--- a/heartbeat/aws-vpc-move-ip
++++ b/heartbeat/aws-vpc-move-ip
+@@ -33,6 +33,7 @@
+ 
+ : ${OCF_FUNCTIONS_DIR=${OCF_ROOT}/lib/heartbeat}
+ . ${OCF_FUNCTIONS_DIR}/ocf-shellfuncs
++. ${OCF_FUNCTIONS_DIR}/aws.sh
+ 
+ # Defaults
+ OCF_RESKEY_awscli_default="/usr/bin/aws"
+@@ -47,8 +48,6 @@ OCF_RESKEY_interface_default="eth0"
+ OCF_RESKEY_iflabel_default=""
+ OCF_RESKEY_monapi_default="false"
+ OCF_RESKEY_lookup_type_default="InstanceId"
+-OCF_RESKEY_curl_retries_default="3"
+-OCF_RESKEY_curl_sleep_default="1"
+ 
+ : ${OCF_RESKEY_awscli=${OCF_RESKEY_awscli_default}}
+ : ${OCF_RESKEY_auth_type=${OCF_RESKEY_auth_type_default}}
+@@ -62,8 +61,6 @@ OCF_RESKEY_curl_sleep_default="1"
+ : ${OCF_RESKEY_iflabel=${OCF_RESKEY_iflabel_default}}
+ : ${OCF_RESKEY_monapi=${OCF_RESKEY_monapi_default}}
+ : ${OCF_RESKEY_lookup_type=${OCF_RESKEY_lookup_type_default}}
+-: ${OCF_RESKEY_curl_retries=${OCF_RESKEY_curl_retries_default}}
+-: ${OCF_RESKEY_curl_sleep=${OCF_RESKEY_curl_sleep_default}}
+ #######################################################################
+ 
+ 
+@@ -270,7 +267,7 @@ ec2ip_validate() {
+ 		fi
+ 	fi
+ 
+-	TOKEN=$(curl_retry "$OCF_RESKEY_curl_retries" "$OCF_RESKEY_curl_sleep" "--show-error -sX PUT -H 'X-aws-ec2-metadata-token-ttl-seconds: 21600'" "http://169.254.169.254/latest/api/token")
++	TOKEN=$(get_token)
+ 	[ $? -ne 0 ] && exit $OCF_ERR_GENERIC
+ 	EC2_INSTANCE_ID=$(curl_retry "$OCF_RESKEY_curl_retries" "$OCF_RESKEY_curl_sleep" "--show-error -s -H 'X-aws-ec2-metadata-token: $TOKEN'" "http://169.254.169.254/latest/meta-data/instance-id")
+ 	[ $? -ne 0 ] && exit $OCF_ERR_GENERIC
+diff --git a/heartbeat/aws-vpc-route53.in b/heartbeat/aws-vpc-route53.in
+index eba2ed95..85c8de3c 100644
+--- a/heartbeat/aws-vpc-route53.in
++++ b/heartbeat/aws-vpc-route53.in
+@@ -43,6 +43,7 @@
+ 
+ : ${OCF_FUNCTIONS_DIR=${OCF_ROOT}/lib/heartbeat}
+ . ${OCF_FUNCTIONS_DIR}/ocf-shellfuncs
++. ${OCF_FUNCTIONS_DIR}/aws.sh
+ 
+ # Defaults
+ OCF_RESKEY_awscli_default="/usr/bin/aws"
+@@ -53,8 +54,6 @@ OCF_RESKEY_hostedzoneid_default=""
+ OCF_RESKEY_fullname_default=""
+ OCF_RESKEY_ip_default="local"
+ OCF_RESKEY_ttl_default=10
+-OCF_RESKEY_curl_retries_default="3"
+-OCF_RESKEY_curl_sleep_default="1"
+ 
+ : ${OCF_RESKEY_awscli=${OCF_RESKEY_awscli_default}}
+ : ${OCF_RESKEY_auth_type=${OCF_RESKEY_auth_type_default}}
+@@ -64,8 +63,6 @@ OCF_RESKEY_curl_sleep_default="1"
+ : ${OCF_RESKEY_fullname:=${OCF_RESKEY_fullname_default}}
+ : ${OCF_RESKEY_ip:=${OCF_RESKEY_ip_default}}
+ : ${OCF_RESKEY_ttl:=${OCF_RESKEY_ttl_default}}
+-: ${OCF_RESKEY_curl_retries=${OCF_RESKEY_curl_retries_default}}
+-: ${OCF_RESKEY_curl_sleep=${OCF_RESKEY_curl_sleep_default}}
+ 
+ usage() {
+ 	cat <<-EOT
+@@ -377,7 +374,7 @@ r53_monitor() {
+ _get_ip() {
+ 	case $OCF_RESKEY_ip in
+ 		local|public)
+-			TOKEN=$(curl_retry "$OCF_RESKEY_curl_retries" "$OCF_RESKEY_curl_sleep" "--show-error -sX PUT -H 'X-aws-ec2-metadata-token-ttl-seconds: 21600'" "http://169.254.169.254/latest/api/token")
++			TOKEN=$(get_token)
+ 			[ $? -ne 0 ] && exit $OCF_ERR_GENERIC
+ 			IPADDRESS=$(curl_retry "$OCF_RESKEY_curl_retries" "$OCF_RESKEY_curl_sleep" "--show-error -s -H 'X-aws-ec2-metadata-token: $TOKEN'" "http://169.254.169.254/latest/meta-data/${OCF_RESKEY_ip}-ipv4")
+ 			[ $? -ne 0 ] && exit $OCF_ERR_GENERIC
+diff --git a/heartbeat/aws.sh b/heartbeat/aws.sh
+new file mode 100644
+index 00000000..c77f93b9
+--- /dev/null
++++ b/heartbeat/aws.sh
+@@ -0,0 +1,46 @@
++#!/bin/sh
++#
++#
++#   AWS Helper Scripts
++#
++#
++
++: ${OCF_FUNCTIONS_DIR=${OCF_ROOT}/lib/heartbeat}
++. ${OCF_FUNCTIONS_DIR}/ocf-shellfuncs
++
++# Defaults
++OCF_RESKEY_curl_retries_default="3"
++OCF_RESKEY_curl_sleep_default="1"
++
++: ${OCF_RESKEY_curl_retries=${OCF_RESKEY_curl_retries_default}}
++: ${OCF_RESKEY_curl_sleep=${OCF_RESKEY_curl_sleep_default}}
++
++# Function to enable reusable IMDS token retrieval for efficient repeated access 
++# File to store the token and timestamp
++TOKEN_FILE="${HA_RSCTMP}/.aws_imds_token"
++TOKEN_LIFETIME=21600  # Token lifetime in seconds (6 hours)
++TOKEN_EXPIRY_THRESHOLD=3600  # Renew token if less than 60 minutes (1 hour) remaining
++
++# Function to fetch a new token
++fetch_new_token() {
++    TOKEN=$(curl_retry "$OCF_RESKEY_curl_retries" "$OCF_RESKEY_curl_sleep" "--show-error -sX PUT -H 'X-aws-ec2-metadata-token-ttl-seconds: $TOKEN_LIFETIME'" "http://169.254.169.254/latest/api/token")
++    echo "$TOKEN $(date +%s)" > "$TOKEN_FILE"
++    echo "$TOKEN"
++}
++
++# Function to retrieve or renew the token
++get_token() {
++    if [ -f "$TOKEN_FILE" ]; then
++        read -r STORED_TOKEN STORED_TIMESTAMP < "$TOKEN_FILE"
++        CURRENT_TIME=$(date +%s)
++        ELAPSED_TIME=$((CURRENT_TIME - STORED_TIMESTAMP))
++
++        if [ "$ELAPSED_TIME" -lt "$((TOKEN_LIFETIME - TOKEN_EXPIRY_THRESHOLD))" ]; then
++            # Token is still valid
++            echo "$STORED_TOKEN"
++            return
++        fi
++    fi
++    # Fetch a new token if not valid
++    fetch_new_token
++}
+\ No newline at end of file
+diff --git a/heartbeat/awseip b/heartbeat/awseip
+index ffb6223a..4b1c3bc6 100755
+--- a/heartbeat/awseip
++++ b/heartbeat/awseip
+@@ -38,6 +38,7 @@
+ 
+ : ${OCF_FUNCTIONS_DIR=${OCF_ROOT}/lib/heartbeat}
+ . ${OCF_FUNCTIONS_DIR}/ocf-shellfuncs
++. ${OCF_FUNCTIONS_DIR}/aws.sh
+ 
+ #######################################################################
+ 
+@@ -49,16 +50,12 @@ OCF_RESKEY_auth_type_default="key"
+ OCF_RESKEY_profile_default="default"
+ OCF_RESKEY_region_default=""
+ OCF_RESKEY_api_delay_default="3"
+-OCF_RESKEY_curl_retries_default="3"
+-OCF_RESKEY_curl_sleep_default="1"
+ 
+ : ${OCF_RESKEY_awscli=${OCF_RESKEY_awscli_default}}
+ : ${OCF_RESKEY_auth_type=${OCF_RESKEY_auth_type_default}}
+ : ${OCF_RESKEY_profile=${OCF_RESKEY_profile_default}}
+ : ${OCF_RESKEY_region=${OCF_RESKEY_region_default}}
+ : ${OCF_RESKEY_api_delay=${OCF_RESKEY_api_delay_default}}
+-: ${OCF_RESKEY_curl_retries=${OCF_RESKEY_curl_retries_default}}
+-: ${OCF_RESKEY_curl_sleep=${OCF_RESKEY_curl_sleep_default}}
+ 
+ meta_data() {
+     cat <<END
+@@ -306,7 +303,7 @@ fi
+ ELASTIC_IP="${OCF_RESKEY_elastic_ip}"
+ ALLOCATION_ID="${OCF_RESKEY_allocation_id}"
+ PRIVATE_IP_ADDRESS="${OCF_RESKEY_private_ip_address}"
+-TOKEN=$(curl_retry "$OCF_RESKEY_curl_retries" "$OCF_RESKEY_curl_sleep" "--show-error -sX PUT -H 'X-aws-ec2-metadata-token-ttl-seconds: 21600'" "http://169.254.169.254/latest/api/token")
++TOKEN=$(get_token)
+ [ $? -ne 0 ] && exit $OCF_ERR_GENERIC
+ INSTANCE_ID=$(curl_retry "$OCF_RESKEY_curl_retries" "$OCF_RESKEY_curl_sleep" "--show-error -s -H 'X-aws-ec2-metadata-token: $TOKEN'" "http://169.254.169.254/latest/meta-data/instance-id")
+ [ $? -ne 0 ] && exit $OCF_ERR_GENERIC
+diff --git a/heartbeat/awsvip b/heartbeat/awsvip
+index f2b238a0..8c71e7fa 100755
+--- a/heartbeat/awsvip
++++ b/heartbeat/awsvip
+@@ -37,6 +37,7 @@
+ 
+ : ${OCF_FUNCTIONS_DIR=${OCF_ROOT}/lib/heartbeat}
+ . ${OCF_FUNCTIONS_DIR}/ocf-shellfuncs
++. ${OCF_FUNCTIONS_DIR}/aws.sh
+ 
+ #######################################################################
+ 
+@@ -48,16 +49,12 @@ OCF_RESKEY_auth_type_default="key"
+ OCF_RESKEY_profile_default="default"
+ OCF_RESKEY_region_default=""
+ OCF_RESKEY_api_delay_default="3"
+-OCF_RESKEY_curl_retries_default="3"
+-OCF_RESKEY_curl_sleep_default="1"
+ 
+ : ${OCF_RESKEY_awscli=${OCF_RESKEY_awscli_default}}
+ : ${OCF_RESKEY_auth_type=${OCF_RESKEY_auth_type_default}}
+ : ${OCF_RESKEY_profile=${OCF_RESKEY_profile_default}}
+ : ${OCF_RESKEY_region=${OCF_RESKEY_region_default}}
+ : ${OCF_RESKEY_api_delay=${OCF_RESKEY_api_delay_default}}
+-: ${OCF_RESKEY_curl_retries=${OCF_RESKEY_curl_retries_default}}
+-: ${OCF_RESKEY_curl_sleep=${OCF_RESKEY_curl_sleep_default}}
+ 
+ meta_data() {
+     cat <<END
+@@ -266,7 +263,7 @@ if [ -n "${OCF_RESKEY_region}" ]; then
+ 	AWSCLI_CMD="$AWSCLI_CMD --region ${OCF_RESKEY_region}"
+ fi
+ SECONDARY_PRIVATE_IP="${OCF_RESKEY_secondary_private_ip}"
+-TOKEN=$(curl_retry "$OCF_RESKEY_curl_retries" "$OCF_RESKEY_curl_sleep" "--show-error -sX PUT -H 'X-aws-ec2-metadata-token-ttl-seconds: 21600'" "http://169.254.169.254/latest/api/token")
++TOKEN=$(get_token)
+ [ $? -ne 0 ] && exit $OCF_ERR_GENERIC
+ INSTANCE_ID=$(curl_retry "$OCF_RESKEY_curl_retries" "$OCF_RESKEY_curl_sleep" "--show-error -s -H 'X-aws-ec2-metadata-token: $TOKEN'" "http://169.254.169.254/latest/meta-data/instance-id")
+ [ $? -ne 0 ] && exit $OCF_ERR_GENERIC
+diff --git a/heartbeat/ocf-shellfuncs.in b/heartbeat/ocf-shellfuncs.in
+index 5c4bb326..922c6ea4 100644
+--- a/heartbeat/ocf-shellfuncs.in
++++ b/heartbeat/ocf-shellfuncs.in
+@@ -1110,4 +1110,4 @@ ocf_is_true "$OCF_TRACE_RA" && ocf_start_trace
+ # pacemaker sets HA_use_logd, some others use HA_LOGD :/
+ if ocf_is_true "$HA_use_logd"; then
+ 	: ${HA_LOGD:=yes}
+-fi
++fi
+\ No newline at end of file
+-- 
+2.33.1.windows.1
+
diff --git a/resource-agents.spec b/resource-agents.spec
index 1e0658998f3be00707d1319cf8415cddbb9a3a74..83c65af92aaab5c9492078fae8aa0239101f16e3 100644
--- a/resource-agents.spec
+++ b/resource-agents.spec
@@ -1,13 +1,14 @@
 Name:                resource-agents
 Summary:             Open Source HA Reusable Cluster Resource Scripts
 Version:             4.16.0
-Release:             2
+Release:             3
 License:             GPLv2+ and LGPLv2+
 URL:                 https://github.com/ClusterLabs/resource-agents
 Source0:             https://github.com/ClusterLabs/resource-agents/releases/tag/v%{version}.tar.gz
 Patch0000:           backport-High-storage-mon-Correct-the-timing-of-setting-notif.patch
 Patch0001:           backport-storage_mon-remove-unused-macro-variables-1994.patch
 Patch0002:           backport-Mid-storage-mon-RA-Wait-until-monitor-confirms-the-s.patch
+Patch0003:           backport-AWS-agents-reuse-IMDS-token-until-it-expires-issue-1.patch
 Obsoletes:           heartbeat-resources <= %{version}
 Provides:            heartbeat-resources = %{version}
 BuildRequires:       automake autoconf pkgconfig gcc perl-interpreter perl-generators python3-devel
@@ -105,6 +106,9 @@ export CFLAGS="$(echo '%{optflags}')"
 %{_mandir}/man8/{ocf-tester.8*,ldirectord.8*}
 
 %changelog
+* Fri Dec 06 2024 liupei <liupei@kylinos.cn> - 4.16.0-3
+- AWS agents: reuse IMDS token until it expires
+
 * Fri Nov 22 2024 bixiaoyan <bixiaoyan@kylinos.cn> - 4.16.0-2
 - High: storage-mon: Fixed a bug in storage-mon's daemon mode that delayed the reflection of initial scores, and made it compliant with OCF specifications
 - Storage_mon: remove unused macro variables