Guilherme Ferreira
When accessing your EC2 instances, you may find interesting information using the EC2 metadata endpoint.
This endpoint can provide for you a list of data for a variety of workloads, such as applications, scripts, and third-party tools and the EC2 instance metadata is grouped into three types:
The User Metadata
In this group, you can have access to specific parameters or script configuration that is needed for your EC2 instances.
The data used in here must be encoded in base64 but if you don’t do that, Amazon EC2 console takes care of it for you. Bear in mind that it has a limitation of 16KB on raw format.
You can pass these instructions when the instance starts but if you eventually edit this information and restart your instance, the change won’t be executed!
As well, you can only modify the user meta for EBS root volume when the instance is stopped.
The Instance Metadata
Instance group metadata is provided when the EC2 instance is deployed.
It shows a collection of network and instance related values and it is in here where things get a bit more interesting.
Particularly, I have a list of commonly used parameters and you can see them below:
- hostname
- The private IPv4 hostname.
- iam/info
- Contains information about the IAM Role associated with the instance (if any).
- iam/security-credentials/<role-name>
- Display details about the IAM Role attached to the EC2 instance.
- Here you can encounter pretty confidential data, like the temporary access and secret keys which are used to let the EC2 instance interact with another AWS Services.
- instance-id
- The EC2 instance ID.
- instance-type
- The EC2 instance type.
- local-hostname
- The private instance IPv4 DNS.
- local-ipv4
- The private instance IPv4 address.
- placement/availability-zone
- In which AWS available zone the EC2 instance was deployed.
- public-hostname
- The public instance IPv4 DNS.
- public-ipv4
- The public instance IPv4 address.
- If an EC2 Elastic IP address is associated with the instance, it will be displayed.
- security-groups
- The EC2 security groups for the instance.
- spot/instance-action
- If you have an EC2 spot instance deployed, here you will see which action will take place and when (timestamp).
- Actions can be “hibernate“, “stop” or “terminate“.
- spot/termination-time
- Approximate time when the instance will receive a shutdown instruction.
The Dynamic metadata
With dynamic, data you don’t have so many options, but still a useful endpoint to retrieve a resume-like document, in a JSON format, as the endpoint “instance-identity/document” shows:
The URL and metadata format
The URL that AWS prepared for use comes with a nice structure, example:
http://169.254.169.254/latest/meta-data/spot/instance-action
The IP address 169.254.169.254 will be always fixed.
The version comes right after, in that example, it shows “latest“.
The third parameter is the group, where you must choose between dynamic, meta-data (instance) or user-data.
The rest of the URL will depend on what you want to see, as shown by my list of favorite options above.
Extra
Always remember to add the final */* in the request or you will receive no information (or errors). Interesting though, it’s not the case for “dynamic” endpoints.
In case that no data is available, you should have a 404 error message.
You are not billed for those HTTP requests.
Finally, remember that this data does not come encrypted in any form, so be always aware of what is running in your EC2 instance because sensitive data within the EC2 instance or from other parts of your AWS environment can be exposed!
