Reputation: 1771
AWS ec2 describe-instances without have to use credentials
Is it possible to get AWS instance info, local to the instance, without using credentials? I know the command line tool can do it, but it needs credentials. There is also the metadata commands, but those don't seem to return Tags, which is what I need.
I thought there was a way to curl an IP and get back json, but I can't find it.
Upvotes: 0
Views: 1231
Answers (3)
Reputation: 78860
It is not possible to retrieve tags directly from within the EC2 instance via the local metadata service as the metadata service does not know the tags. You have (at least) two options:
- launch the instance with an IAM role (or somehow provide other credentials to the instance) that includes permission to call ec2:DescribeTags and then retrieve the tags dynamically - you'll need the instance ID for this and you can get that from the metadata service
- if the tags are known at launch time and are not going to change after launch, you could simply pass them into the EC2 instance as part of the userdata (e.g. as environment variables or written to a text file at launch).
Upvotes: 1
Reputation: 3310
Yes you can get the EC2 instance tags without credentials. You do this using the EC2 Roles / Profiles for the EC2 instance. I know that this has already been mentioned but I'd like to expand on this a little. Technically you're not actually doing anything without credentials. Credentials are always involved unless you're just making queries to the metadata.
What Boto and other similar frameworks do is they query the ec2 instance metadata to get the credentials for the role. Just replace the last part s3access with the name of the profile / role.
curl http://169.254.169.254/latest/meta-data/iam/security-credentials/s3access
Returns
{
"Code" : "Success",
"LastUpdated" : "2012-04-26T16:39:16Z",
"Type" : "AWS-HMAC",
"AccessKeyId" : "AKIAIOSFODNN7EXAMPLE",
"SecretAccessKey" : "wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY",
"Token" : "token",
"Expiration" : "2012-04-27T22:39:16Z"
}
This response includes the access credentials required to make the API request. When the credentials expire the framework will request a new set of credentials using the same method and repeat this process as many times as necessary.
I highly recommend using a framework because making the requests directly to the REST API requires that you perform the authentication yourself. If that's the direction you decide to go here are some more resources to help you out.
Upvotes: 0
Reputation: 62688
Unfortunately, you'll need credentials to retrieve tags. I do this by creating an IAM user that only has the ec2:Describe* role; it can then enumerate the instances in your account and retrieve their tags, with ec2-describe-tags or similar.
You can use the metadata API to retrieve the current instance ID, then pass that to ec2-describe tags to retrieve the tags for the current instance:
ec2-describe-tags -O YOUR_IAM_KEY -W YOUR_IAM_SECRET --filter="resource-id=`curl -s http://169.254.169.254/latest/meta-data/instance-id`"
Upvotes: 0
Related Questions
- CLI command "describe-instances" throw error "An error occurred (AuthFailure) when calling the
- Is the AWS CLI missing data for the "ec2 describe-instancess" method?
- AWS CLI: create EC2 instance and attach instance profile (unauthorized)
- EC2 instance to assume an IAM role so that I don't have to enter token everytime to use services on AWS
- How to use instance profile credentials available on running ec2 instance?
- aws describe instances showing empty list
- AWS ec2 describe Instance not working
- AWS Authentication
- AWS credentials for EC2 auto-discovery
- AWS - Get instance id w/o having to SSH in