Discover members of an aws subnet from an instance of this subnet

Question

I am looking forward to get information on how I can interrogate aws API without configuring aws CLI in an EC2 instance ? Actually, I want to create automatically GRE tunnel on instances in the same subnet. To do that, in each EC2 instance, I need to "discover" other EC2 instances members of this subnet but I don't want to configure secrets in aws cli to do so. I know I can use :

aws ec2 describe-network-interfaces --filters "Name=subnet-id,Values=${SUBNET}" "Name=status,Values=in-use"

It results with all ENI from the subnet in which my EC2 is member of. However to be able to do that, I have to make an aws configure on each instance and I don't want to transmit secrets. Is there another way to do that ?

Thanks in advance

Answer 1

EC2 instance IAM roles have been available for many years, for exactly this purpose, and do not require any secrets to be stored on the instance. The aws-cli uses them automatically if configured on the instance. The assigned instance role needs the necessary permissions to make the API requests you want to make.

https://aws.amazon.com/blogs/aws/iam-roles-for-ec2-instances-simplified-secure-access-to-aws-service-apis-from-ec2/

There is no way to access the service APIs without some kind of credentials. Instance roles provide automatically-rotated, time-limited, temporary credentials to each instance with the role assigned.

Note also that aws ec2 describe-network-interfaces will also return interfaces for things that aren't instances, if you have them, like load balancers, RDS, and EFS endpoints.