Skip to content

Instance MetaData Service (IMDS)

Enable IMDSv2

  1. Modify the EC2 instance
    aws ec2 modify-instance-metadata-options \ --instance-id <instance_id> \ --http-endpoint enabled

  2. To access the metadata endpoint from containers inside the EC2 Instances
    aws ec2 modify-instance-metadata-options \ --instance-id <instance_id> \ --http-put-response-hop-limit 2 \ --http-endpoint enabled

Using Metadata Service v2 (IMDSv2)

  1. Get Token
    TOKEN=$(curl -X PUT "http://169.254.169.254/latest/api/token" -H "X-aws-ec2-metadata-token-ttl-seconds: 21600")

  2. Use the token to generate the top level metadata
    curl -H "X-aws-ec2-metadata-token: $TOKEN" http://169.254.169.254/latest/meta-data/

  3. To get IAM credentials
    curl -H "X-aws-ec2-metadata-token: $TOKEN" http://169.254.169.254/latest/meta-data/identity-credentials/ec2/security-credentials/ec2-instance

Using Older IMDSv1

Get instance details

$ curl http://169.254.169.254/latest/dynamic/instance-identity/
document
pkcs7
rsa2048

$ curl http://169.254.169.254/latest/dynamic/instance-identity/document/
{
  "privateIp" : "10.158.53.60",
  "devpayProductCodes" : null,
  "marketplaceProductCodes" : null,
  "version" : "2017-09-30",
  "instanceType" : "m5.large",
  "architecture" : "x86_64",
  "imageId" : "ami-0a2abab4107669c1b",
  "billingProducts" : null,
  "instanceId" : "i-0adf3edbe291b04e9",
  "accountId" : "428561211631",
  "availabilityZone" : "us-west-2a",
  "kernelId" : null,
  "ramdiskId" : null,
  "pendingTime" : "2019-01-26T04:12:52Z",
  "region" : "us-west-2"
}

Get userdata of an EC2 Instance

$ curl http://169.254.169.254/latest/user-data

Get the IAM Credentials

# curl 169.254.169.254/latest/meta-data/iam/info/
{
  "Code" : "Success",
  "LastUpdated" : "2020-02-26T19:05:44Z",
  "InstanceProfileArn" : "arn:aws:iam::123102502338:instance-profile/PHC-USW2-DS-TEST-012019053001083099870000000a",
  "InstanceProfileId" : "AIPARZKL3DXBL5PPWES6A"
}

# curl -s http://169.254.169.254/latest/meta-data/iam/security-credentials/
ROLE-PHC-USW2-DS-TEST-01-K8S-CICD-POD

# curl -s http://169.254.169.254/latest/meta-data/iam/security-credentials/
ROLE-PHC-USW2-DS-TEST-01-K8S-CICD-POD

# curl -s http://169.254.169.254/latest/meta-data/iam/security-credentials/ROLE-PHC-USW2-DS-TEST-01-K8S-CICD-POD

Metadata

$ curl http://169.254.169.254/latest/meta-data/    
ami-id
ami-launch-index
ami-manifest-path
block-device-mapping/
events/
hostname
iam/
instance-action
instance-id
instance-type
local-hostname
local-ipv4
mac
metrics/
network/
placement/
profile
public-hostname
public-ipv4
public-keys/
reservation-id
security-groups
services/