-
-
Save codeinthehole/ab9a8dc30917c5705846 to your computer and use it in GitHub Desktop.
| #!/usr/bin/env bash | |
| # | |
| # Get the value of a tag for a running EC2 instance. | |
| # | |
| # This can be useful within bootstrapping scripts ("user-data"). | |
| # | |
| # Note the EC3 instance needs to have an IAM role that lets it read tags. The policy | |
| # JSON for this looks like: | |
| # | |
| # { | |
| # "Version": "2012-10-17", | |
| # "Statement": [ | |
| # { | |
| # "Effect": "Allow", | |
| # "Action": "ec2:DescribeTags", | |
| # "Resource": "*" | |
| # } | |
| # ] | |
| # } | |
| # Define the tag you want to get the value for | |
| KEY=bucket | |
| # Install AWS CLI (you could just do 'apt-get install awscli' although you'll | |
| # get an older version). | |
| apt-get update | |
| apt-get install -y python-pip | |
| pip install -U pip | |
| pip install awscli | |
| # Grab instance ID and region as the 'describe-tags' action below requires them. Getting the region | |
| # is a pain (see http://stackoverflow.com/questions/4249488/find-region-from-within-ec2-instance) | |
| INSTANCE_ID=$(ec2metadata --instance-id) | |
| REGION=$(curl -s http://169.254.169.254/latest/dynamic/instance-identity/document | grep region | awk -F\" '{print $4}') | |
| # Grab tag value | |
| TAG_VALUE=$(aws ec2 describe-tags --filters "Name=resource-id,Values=$INSTANCE_ID" "Name=key,Values=$KEY" --region=$REGION --output=text | cut -f5) |
This is amazing. Really helped out a ton! Thanks!
Great!!.
Thanks!
Great!!!
Thanks!
On the Amazon Linux AMI I had to change:
INSTANCE_ID=$(ec2-metadata --instance-id | cut -f2 -d " ")
Saved me tons of time, thanks.
This is fantastic. Thank you so much!!
Any way to do this in a case insensitive way? Like if someone puts the tag name as "name" or "NAME" instead of "Name"
Excellent! This helped! Used this as a base for getting the info I needed back for a script.
Had a couple other suggestions, some require jq (installs using yum, sorry not sure the apt-get equivalent):
sudo yum -y install jq
Get instance ID:
INSTANCE_ID=$(curl -s http://169.254.169.254/latest/meta-data/instance-id)
Get region:
REGION=$(curl -s http://169.254.169.254/latest/dynamic/instance-identity/document | jq -r .region)
Parse tag value with jq:
aws ec2 describe-tags --filters "Name=resource-id,Values=$INSTANCE_ID" "Name=key,Values=$KEY" --region=$REGION --output=json | jq -r .Tags[0].Value
Why use jq or cut?
--query 'Tags[0].Value' with --output=text should do the trick
Also, if you're using it within CloudFormation, use ${AWS::Region} and, if you use cloud-init or cloud-config, $INSTANCE_ID should be available
From a previous comment:
I was afraid I was going to have to parse the region out of
meta-data/placement/availability-zonebefore I discovered this example
The example script uses bash, and parsing the region from meta-data/placement/availability-zone isn't hard with bash (or most other shells). It returns the full zone name, which is the region name plus the one-letter zone name. I.e., us-west-2a or ap-northeast-1b. So you just have to return the zone name with the last character removed to get the region:
ZONE=$(curl -s http://169.254.169.254/latest/meta-data/placement/availability-zone)
REGION=${ZONE%?}
If you know what Tag you are looking for you can query it directly like --query 'Tags[?Key==`Name`].Value' And yes those are backticks around the tag Key that you are looking for, in this came Name.
Possibly restrict the policy even more, like so:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "ec2:DescribeTags",
"Resource": "*",
"Condition": {
"StringEquals": {
"aws:ARN": "${ec2:SourceInstanceARN}"
}
}
}
]
}
@kesor No, you can not restrict that action in an IAM policy...
@tinproject I did write that you "possibly" could, without testing. Looks like there is indeed no such thing as aws:ARN, but there IS aws:SourceArn that you could use (I didn't test it).
https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-sourcearn
DescribeTags action does not allow any Resource limitation (https://docs.aws.amazon.com/IAM/latest/UserGuide/list_amazonec2.html#amazonec2-policy-keys ), the Policy Visual Editor image above also tells so.
Anyway, even if it supports resource limiting, a condition using aws:SourceArn and ${ec2:SourceInstanceARN} is always true in a petition from an Instance Role as both values will be the same, and as the documentation said you can not use ${ec2:SourceInstanceARN} on the Resource part of the policy, hence you're not limiting by resource.
Conclusion: don't lose time trying to make this work (as I already did)
There's an error getting the region.
You can fix it with
INSTANCE_ID=$(ec2-metadata --instance-id | awk '{print $2}')
TOOOOOOOOP
like a charm !!!!
If you know what Tag you are looking for you can query it directly like
--query 'Tags[?Key==`Name`].Value'And yes those are backticks around the tag Key that you are looking for, in this cameName.
Finally found the working syntax. Thanks @espoelstra
👍 I was afraid I was going to have to parse the region out of
meta-data/placement/availability-zonebefore I discovered this example. Thanks!