Skip to content

Instantly share code, notes, and snippets.

@omerxx

omerxx/tags.py

Created July 10, 2019 09:33
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save omerxx/656217bb1ad177d2d7cee4ca9c5fae3a to your computer and use it in GitHub Desktop.
Save omerxx/656217bb1ad177d2d7cee4ca9c5fae3a to your computer and use it in GitHub Desktop.
Download ZIP
Getting EC2 instance tags from within the instance
Raw
tags.py
import boto3
import requests
def _get_metadata_region():
r = requests.get(
'http://169.254.169.254/latest/dynamic/instance-identity/document')
return r.json()['region']
def _get_instance_id():
r = requests.get('http://169.254.169.254/latest/meta-data/instance-id')
return r.text
def get_instance_tags():
client = boto3.client('ec2', region_name=_get_metadata_region())
response = client.describe_tags(
Filters=[
{
'Name': 'resource-id',
'Values': [
_get_instance_id(),
]
},
],
)
print(response['Tags'])
get_instance_tags()
@omerxx
Copy link
Author

omerxx commented Jul 10, 2019

Note: since this involves using the AWS API, you have to use proper permissions to use this script.
Since this is intended to run from an EC2 instance the right way is to use a role, this is a good policy to attach: arn:aws:iam::aws:policy/AmazonEC2ReadOnlyAccess

@kesor
Copy link

kesor commented Jul 10, 2019

Consider restricting the suggested instance policy to just describing tags on itself, like so:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "ec2:DescribeTags",
            "Resource": "*",
            "Condition": {
                "StringEquals": {
                    "aws:ARN": "${ec2:SourceInstanceARN}"
                }
            }
        }
    ]
}

@omerxx
Copy link
Author

omerxx commented Jul 10, 2019

Consider restricting the suggested instance policy to just describing tags on itself, like so:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "ec2:DescribeTags",
            "Resource": "*",
            "Condition": {
                "StringEquals": {
                    "aws:ARN": "${ec2:SourceInstanceARN}"
                }
            }
        }
    ]
}

Better!
Thanks!

@aidansteele
Copy link

@kesor Can you share a CLI command where that policy works? When I try aws ec2 describe-tags --filters Name=resource-id,Values=<instance id> I still get permission denied.

@kesor
Copy link

kesor commented Aug 15, 2019
edited

@kesor Can you share a CLI command where that policy works? When I try aws ec2 describe-tags --filters Name=resource-id,Values=<instance id> I still get permission denied.

@aidansteele The condition does not restrict which instances you can query, it restricts who can query. With the condition above, only the instance itself, when it is using an IAM role can query for ec2:DescribeTags (for all instances in the region).

@ask0n
Copy link

ask0n commented Dec 28, 2019

@kesor Can you share a CLI command where that policy works? When I try aws ec2 describe-tags --filters Name=resource-id,Values=<instance id> I still get permission denied.

@aidansteele The condition does not restrict which instances you can query, it restricts who can query. With the condition above, only the instance itself, when it is using an IAM role can query for ec2:DescribeTags (for all instances in the region).

placeholder ${ec2:SourceInstanceARN} will be replaced by any instance to which instance-profile will be attached. This means each instance with proper instance-profile can query. Obviously if you do not what to allow to other instances ec2:DescribeTags permission just do not attach instance profile to them.

@tinproject
Copy link

@kesor No, you can not restrict that action in an IAM policy...
describetagspolicy

FYI: don't lose time trying to do this.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment