Amazon Web Services

EC2 Metadata: Instance, User or Dynamic

EC2 Metadata

When accessing your EC2 instances, you may find interesting information using the EC2 metadata endpoint.

This endpoint can provide for you a list of data for a variety of workloads, such as applications, scripts, and third-party tools and the EC2 instance metadata is grouped into three types:

The User Metadata

In this group, you can have access to specific parameters or script configuration that is needed for your EC2 instances.

The data used in here must be encoded in base64 but if you don’t do that, Amazon EC2 console takes care of it for you. Bear in mind that it has a limitation of 16KB on raw format.

You can pass these instructions when the instance starts but if you eventually edit this information and restart your instance, the change won’t be executed!

As well, you can only modify the user meta for EBS root volume when the instance is stopped.

The Instance Metadata

Instance group metadata is provided when the EC2 instance is deployed.

It shows a collection of network and instance related values and it is in here where things get a bit more interesting.

Particularly, I have a list of commonly used parameters and you can see them below:

  • hostname
    • The private IPv4 hostname.
  • iam/info
    • Contains information about the IAM Role associated with the instance (if any).
  • iam/security-credentials/<role-name>
    • Display details about the IAM Role attached to the EC2 instance.
    • Here you can encounter pretty confidential data, like the temporary access and secret keys which are used to let the EC2 instance interact with another AWS Services.
  • instance-id
    • The EC2 instance ID.
  • instance-type
    • The EC2 instance type.
  • local-hostname
    • The private instance IPv4 DNS.
  • local-ipv4
    • The private instance IPv4 address.
  • placement/availability-zone
  • public-hostname
    • The public instance IPv4 DNS.
  • public-ipv4
    • The public instance IPv4 address.
    • If an EC2 Elastic IP address is associated with the instance, it will be displayed.
  • security-groups
  • spot/instance-action
    • If you have an EC2 spot instance deployed, here you will see which action will take place and when (timestamp).
    • Actions can be “hibernate“, “stop” or “terminate“.
  • spot/termination-time
    • Approximate time when the instance will receive a shutdown instruction.

The Dynamic metadata

With dynamic, data you don’t have so many options, but still a useful endpoint to retrieve a resume-like document, in a JSON format, as the endpoint “instance-identity/document” shows:

Dynamic instance metadata example
Dynamic instance metadata example.

The URL and metadata format

The URL that AWS prepared for use comes with a nice structure, example:

The IP address will be always fixed.

The version comes right after, in that example, it shows “latest“.

The third parameter is the group, where you must choose between dynamic, meta-data (instance) or user-data.

The rest of the URL will depend on what you want to see, as shown by my list of favorite options above.


Always remember to add the final */* in the request or you will receive no information (or errors). Interesting though, it’s not the case for “dynamic” endpoints.

In case that no data is available, you should have a 404 error message.

You are not billed for those HTTP requests.

Finally, remember that this data does not come encrypted in any form, so be always aware of what is running in your EC2 instance because sensitive data within the EC2 instance or from other parts of your AWS environment can be exposed!

By continuing to use the site, you agree to the use of cookies. more information

The cookie settings on this website are set to "allow cookies" to give you the best browsing experience possible. If you continue to use this website without changing your cookie settings or you click "Accept" below then you are consenting to this.