-
-
Save codeinthehole/ab9a8dc30917c5705846 to your computer and use it in GitHub Desktop.
#!/usr/bin/env bash | |
# | |
# Get the value of a tag for a running EC2 instance. | |
# | |
# This can be useful within bootstrapping scripts ("user-data"). | |
# | |
# Note the EC3 instance needs to have an IAM role that lets it read tags. The policy | |
# JSON for this looks like: | |
# | |
# { | |
# "Version": "2012-10-17", | |
# "Statement": [ | |
# { | |
# "Effect": "Allow", | |
# "Action": "ec2:DescribeTags", | |
# "Resource": "*" | |
# } | |
# ] | |
# } | |
# Define the tag you want to get the value for | |
KEY=bucket | |
# Install AWS CLI (you could just do 'apt-get install awscli' although you'll | |
# get an older version). | |
apt-get update | |
apt-get install -y python-pip | |
pip install -U pip | |
pip install awscli | |
# Grab instance ID and region as the 'describe-tags' action below requires them. Getting the region | |
# is a pain (see http://stackoverflow.com/questions/4249488/find-region-from-within-ec2-instance) | |
INSTANCE_ID=$(ec2metadata --instance-id) | |
REGION=$(curl -s http://169.254.169.254/latest/dynamic/instance-identity/document | grep region | awk -F\" '{print $4}') | |
# Grab tag value | |
TAG_VALUE=$(aws ec2 describe-tags --filters "Name=resource-id,Values=$INSTANCE_ID" "Name=key,Values=$KEY" --region=$REGION --output=text | cut -f5) |
If you know what Tag you are looking for you can query it directly like --query 'Tags[?Key==`Name`].Value'
And yes those are backticks around the tag Key that you are looking for, in this came Name
.
Possibly restrict the policy even more, like so:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "ec2:DescribeTags",
"Resource": "*",
"Condition": {
"StringEquals": {
"aws:ARN": "${ec2:SourceInstanceARN}"
}
}
}
]
}
@kesor No, you can not restrict that action in an IAM policy...
@tinproject I did write that you "possibly" could, without testing. Looks like there is indeed no such thing as aws:ARN
, but there IS aws:SourceArn
that you could use (I didn't test it).
https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-sourcearn
DescribeTags
action does not allow any Resource limitation (https://docs.aws.amazon.com/IAM/latest/UserGuide/list_amazonec2.html#amazonec2-policy-keys ), the Policy Visual Editor image above also tells so.
Anyway, even if it supports resource limiting, a condition using aws:SourceArn
and ${ec2:SourceInstanceARN}
is always true in a petition from an Instance Role as both values will be the same, and as the documentation said you can not use ${ec2:SourceInstanceARN}
on the Resource
part of the policy, hence you're not limiting by resource.
Conclusion: don't lose time trying to make this work (as I already did)
There's an error getting the region.
You can fix it with
INSTANCE_ID=$(ec2-metadata --instance-id | awk '{print $2}')
TOOOOOOOOP
like a charm !!!!
If you know what Tag you are looking for you can query it directly like
--query 'Tags[?Key==`Name`].Value'
And yes those are backticks around the tag Key that you are looking for, in this cameName
.
Finally found the working syntax. Thanks @espoelstra
From a previous comment:
The example script uses bash, and parsing the region from
meta-data/placement/availability-zone
isn't hard with bash (or most other shells). It returns the full zone name, which is the region name plus the one-letter zone name. I.e.,us-west-2a
orap-northeast-1b
. So you just have to return the zone name with the last character removed to get the region: