Instance MetaData Service (IMDS)¶
Enable IMDSv2¶
-
Modify the EC2 instance
aws ec2 modify-instance-metadata-options \ --instance-id <instance_id> \ --http-endpoint enabled
-
To access the metadata endpoint from containers inside the EC2 Instances
aws ec2 modify-instance-metadata-options \ --instance-id <instance_id> \ --http-put-response-hop-limit 2 \ --http-endpoint enabled
Using Metadata Service v2 (IMDSv2)¶
-
Get Token
TOKEN=$(curl -X PUT "http://169.254.169.254/latest/api/token" -H "X-aws-ec2-metadata-token-ttl-seconds: 21600")
-
Use the token to generate the top level metadata
curl -H "X-aws-ec2-metadata-token: $TOKEN" http://169.254.169.254/latest/meta-data/
-
To get IAM credentials
curl -H "X-aws-ec2-metadata-token: $TOKEN" http://169.254.169.254/latest/meta-data/identity-credentials/ec2/security-credentials/ec2-instance
Using Older IMDSv1¶
Get instance details
$ curl http://169.254.169.254/latest/dynamic/instance-identity/
document
pkcs7
rsa2048
$ curl http://169.254.169.254/latest/dynamic/instance-identity/document/
{
"privateIp" : "10.158.53.60",
"devpayProductCodes" : null,
"marketplaceProductCodes" : null,
"version" : "2017-09-30",
"instanceType" : "m5.large",
"architecture" : "x86_64",
"imageId" : "ami-0a2abab4107669c1b",
"billingProducts" : null,
"instanceId" : "i-0adf3edbe291b04e9",
"accountId" : "428561211631",
"availabilityZone" : "us-west-2a",
"kernelId" : null,
"ramdiskId" : null,
"pendingTime" : "2019-01-26T04:12:52Z",
"region" : "us-west-2"
}
Get userdata of an EC2 Instance
$ curl http://169.254.169.254/latest/user-data
Get the IAM Credentials
# curl 169.254.169.254/latest/meta-data/iam/info/
{
"Code" : "Success",
"LastUpdated" : "2020-02-26T19:05:44Z",
"InstanceProfileArn" : "arn:aws:iam::123102502338:instance-profile/PHC-USW2-DS-TEST-012019053001083099870000000a",
"InstanceProfileId" : "AIPARZKL3DXBL5PPWES6A"
}
# curl -s http://169.254.169.254/latest/meta-data/iam/security-credentials/
ROLE-PHC-USW2-DS-TEST-01-K8S-CICD-POD
# curl -s http://169.254.169.254/latest/meta-data/iam/security-credentials/
ROLE-PHC-USW2-DS-TEST-01-K8S-CICD-POD
# curl -s http://169.254.169.254/latest/meta-data/iam/security-credentials/ROLE-PHC-USW2-DS-TEST-01-K8S-CICD-POD
Metadata¶
$ curl http://169.254.169.254/latest/meta-data/
ami-id
ami-launch-index
ami-manifest-path
block-device-mapping/
events/
hostname
iam/
instance-action
instance-id
instance-type
local-hostname
local-ipv4
mac
metrics/
network/
placement/
profile
public-hostname
public-ipv4
public-keys/
reservation-id
security-groups
services/