I'm trying to find security group ID in metadata, but there is only a name of the group.
The get the name with curl like this:
curl http://169.254.169.254/latest/meta-data/security-groups/
RESULT
some-secgroup-name
I need the ID like this one sg-1234567911
Any Idea how to I find in metadata (whitout CLI)?
You'll need the MAC address of the instance. To obtain that you can do a curl using the metadata url:
http://169.254.169.254/latest/meta-data/mac
Once you have that, you can get the security groups from the network section:
http://169.254.169.254/latest/meta-data/network/interfaces/macs/<your_mac>/security-group-ids
Ref: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-metadata.html#instancedata-data-categories
Related
In the AWS Cloud Environment i have to the get list of all Elastic IPs with instance name and in all region/AZs like eu-west-1 , eu-west-3, ap-south-1, us-east-1 etc..
How this can be achieved via AWS System manager if possible. If not, then do i have to write any other function/code or use other AWS functionality.
I would do it by writing a program (eg in Python) with these steps:
Loop through each (applicable) Region using describe_regions()
Loop through each Elastic IP address using describe_addresses()
Extract the InstanceId and PublicIp from the response
Call describe_instances() for the given InstanceId to obtain a list of Tags. The "instance name" is stored as a Tag with Key = 'Name'
Is there a way to get the Amazon service name which a resource id belongs with boto3?
I would expect something like:
service = client.get_service_name("i-0ff8943bb6c0db21c")
print(service)
OUTPUT:
EC2
or
service = client.get_service_name("subnet-007c14e3ae140c9d9")
print(service)
OUTPUT:
VPC
I dont find a way to get that.
Thanks.
No, there is no API call to translate a Resource ID into a Service Name.
I have a Cloud Formation to set up an EC2 instance. I'm currently using the Parameters to specify the Subnet Id for the EC2 instance as well as the VPC Id for the Security Group (to be used in turn by the EC2 instance).
In my situation the Subnet Id specified is required to be part of the VPC and I'd like to only have to specify the Subnet Id in the Parameters. But I can't find a way to derive the VPC from the Subnet Id (http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ec2-subnet.html)
I see the GetAtt function can be used to return resource attributes. Is there something equivalent to return resource properties?
From the documentation Fn:GetAtt, you can only retrieve AvailabilityZone and Ipv6CidrBlocks details of the Subnet. There is no inbuilt support to get VpcId of the given subnet in CFn Templates.
There is a work-around though. If you are using the aws-cli documentation, you can use the describe-subnets method to fetch the VpcId of the required subnet and pass it as input to the Cloudformation template create_stack call.
This method works even if you are using any SDK. for example, in Java.
//pseudo code only!
DescribeSubnetsRequest request = new DescribeSubnetsRequest();
request.withSubnetIds("subnet-abcdefgh");
DescribeSubnetsResult result = awsClient.describeSubnets(request);
String myVpc = result.getSubnets().get(0).getVpcId();
// add the above VPC Id to the parameters of your Cloud formation template create stack request.
Hope this helps.
I created a small project called cli2cloudformation. Using that you're able to execute cli commands inside your cloudformation stack and use the results of the commands.
Just check it here. I hope it helps you.
I'm setting up an auto-scaling group and to dynamically tag instances, is it possible to auto-increment name tag?
for eg:-
Key: Name Value: Instance-1
Key: Name Value: Instance-2
.
.
.
Key: Name Value: Instance-N
Yes, it possible. But not directly using any AWS functionality.
You have to embed a function where in as the instance is launched by AutoScaling Group a notification (AWS SNS) is triggered and is stored in SQS.
You will have to use a Program/Script which runs on a server and keeps a constant watch on the SQS, get the latest notification and Information regarding the Instance. Then change the Tag Name of the instance using a incremental functionality.
Is it possible to get AWS instance info, local to the instance, without using credentials? I know the command line tool can do it, but it needs credentials. There is also the metadata commands, but those don't seem to return Tags, which is what I need.
I thought there was a way to curl an IP and get back json, but I can't find it.
It is not possible to retrieve tags directly from within the EC2 instance via the local metadata service as the metadata service does not know the tags. You have (at least) two options:
launch the instance with an IAM role (or somehow provide other credentials to the instance) that includes permission to call ec2:DescribeTags and then retrieve the tags dynamically - you'll need the instance ID for this and you can get that from the metadata service
if the tags are known at launch time and are not going to change after launch, you could simply pass them into the EC2 instance as part of the userdata (e.g. as environment variables or written to a text file at launch).
Unfortunately, you'll need credentials to retrieve tags. I do this by creating an IAM user that only has the ec2:Describe* role; it can then enumerate the instances in your account and retrieve their tags, with ec2-describe-tags or similar.
You can use the metadata API to retrieve the current instance ID, then pass that to ec2-describe tags to retrieve the tags for the current instance:
ec2-describe-tags -O YOUR_IAM_KEY -W YOUR_IAM_SECRET --filter="resource-id=`curl -s http://169.254.169.254/latest/meta-data/instance-id`"
Yes you can get the EC2 instance tags without credentials. You do this using the EC2 Roles / Profiles for the EC2 instance. I know that this has already been mentioned but I'd like to expand on this a little. Technically you're not actually doing anything without credentials. Credentials are always involved unless you're just making queries to the metadata.
What Boto and other similar frameworks do is they query the ec2 instance metadata to get the credentials for the role. Just replace the last part s3access with the name of the profile / role.
curl http://169.254.169.254/latest/meta-data/iam/security-credentials/s3access
Returns
{
"Code" : "Success",
"LastUpdated" : "2012-04-26T16:39:16Z",
"Type" : "AWS-HMAC",
"AccessKeyId" : "AKIAIOSFODNN7EXAMPLE",
"SecretAccessKey" : "wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY",
"Token" : "token",
"Expiration" : "2012-04-27T22:39:16Z"
}
This response includes the access credentials required to make the API request. When the credentials expire the framework will request a new set of credentials using the same method and repeat this process as many times as necessary.
I highly recommend using a framework because making the requests directly to the REST API requires that you perform the authentication yourself. If that's the direction you decide to go here are some more resources to help you out.
Signature Version 2
Describe Tags API