I am using the boto3 Python3 module provided by AWS. I'm able to extract the security key name and the various tags associated with an EC2 instance. Unfortunately, none of that information tells me who created the instance.
Is there a way to use AWS IAM to see what active instances were created by a user?
Related
I need to create a python lambda function which check a set of conditions.
One of the is to count the number of running ec2 instances with a specific name from another aws account.
I searched stackoverflow and found something like this, but this should only count the instances from the same account/region.
def ec2(event, context):
ec2_resource = boto3.resource('ec2')
instances = [instance.state['Name'] for instance in ec2_resource.instances.all()]
ec2_running_instances = instances.count('running')
print(ec2_running_instances)
You can't do this directly from your account. You must assume IAM role that is created in the second account, with permissions to describe the instances. Please check: Delegate access across AWS accounts using IAM roles .
Once the role exists, you have to use boto3's assume_role to assume the role, get temporary aws credentials, and then create new boto3 session with that credentials.
I am trying to list down all the EC2 instances with its IAM role attached using boto3 in python3. But I don't find any method to get the IAM role attached to existing EC2 instance. is there any method in boto3 to do that ?
When I describe an Instance, It has a key name IamInstanceProfile. That contains instance profile id and arn of the iam instance profile. I don't find name of IAM instance profile or any other info about IAM roles attached to it. I tried to use instance profile id to describe instance profile, But it seems to describe an instance profile, we need name of instance profile (not the id).
Can someone help on this ? I might be missing something.
Thanks
When we describe EC2 instance, We get IamInstanceProfile key which has Arn and id.
Arn has IamInstanceProfile name attached to it.
Arn': 'arn:aws:iam::1234567890:instance-profile/instanceprofileOrRolename'
This name can be used for further operation like get role description or listing policies attached to role.
Thanks
You can get the metadata of an EC2 instance by making an HTTP call to http://169.254.169.254/latest/meta-data/ from the instance.
In your case, you may want to navigate to http://169.254.169.254/latest/meta-data/iam/security-credentials to get the IAM role attached to the instance.
EC2 Instance Metadata
You can call IAM list_instance_profiles(), and then filter the results by the ARN or ID from EC2 describe_instances() result. This response will contain Roles for given instance profile.
Boto3 IAM documentation
I'm trying to figure out a way to run Terraform from inside an AWS WorkSpace. Is that even possible? Has anyone made this work?
AWS WorkSpaces doesn't apply the same concept with an Instance Profile and associated IAM role that is attached to it.
I'm pretty confident, however, that you can run Terraform in an AWS WorkSpace just as you can do it from your personal computer. With Internet access (or VPC endpoints), it can reach AWS APIs and just requires a set of credentials, which in this case (without instance profiles) would be an AWS Access Key and Secret Access Key - just like on your local computer.
I tried to find set aws-cli locally using IAM role & without using access key/secret access key. But unable to get information from meta url[http://169.256.169.256/latest/meta-data].
I am running Ec2 instance with Ubuntu Server 16.04 LTS (HVM), SSD Volume Type - ami-f3e5aa9c.I have tried to configure aws-cli on that instance.I am not sure what type of role/policy/user needed to get aws-cli configured in my Ec2 instance.
Please provide me step by step guide to achieve that.I just need direction.So useful link also appreciated.
To read Instance Metadata, you dont need to configure the AWS CLI. The problem in your case, is you are using a wrong URL to read the Instance Metadata. The correct URL to use is http://169.254.169.254/ . For example, if you want to read the AMI id of the Instance, you can use the follow command.
curl http://169.254.169.254/latest/meta-data/ami-id
However, if you would like to configure the AWS cli without using the Access/Secret Keys. Follow the below steps.
Create an IAM instance profile and Attach it to the EC2 instance
Open the IAM console at https://console.aws.amazon.com/iam/.
In the navigation pane, choose Roles, Create role.
On the Select role type page, choose EC2 and the EC2 use case. Choose Next: Permissions.
On the Attach permissions policy page, select an AWS managed policy that
grants your instances access to the resources that they need.
On the Review page, type a name for the role and choose Create role.
Install the AWS CLI(Ubuntu).
Install pip if it is not installed already.
`sudo apt-get install python-pip`
Install AWS CLI.
`pip install awscli --upgrade --user`
Configure the AWS CLI. Leave AWS Access Key ID and AWS Secret Access
Key as blank as we want to use a Role.
$ aws configure
AWS Access Key ID [None]:
AWS Secret Access Key [None]:
Default region name [None]: us-west-2
Default output format [None]: json
Modify the Region and Output Format values if required.
I hope this Helps you!
AWS Documentation on how to setup an IAM role for EC2
https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-roles-for-amazon-ec2.html
I have different EC2 instances trying to access RDS instance. I want to upfront set RDS instance 'canonical name' within configuration file so that after deployment I don't need to make any changes to configuration files.
I have following questions:
Is there anyway, one can assign canonical name to a RDS instance within cloudformation template?
If above is not possible, can I setup dependency chain between EC2 creation and RDS instance (i.e. create RDS instance first, query it's name/ip and than create EC2 instance)
Thx
The canonical name of an RDS instance will always be generated automatically by AWS, however the naming scheme is consistent. The format of the name is:
<instance_name>.<arbitrary_string>.<region>.rds.amazonaws.com
The arbitrary_string section of the name is a string that uniquely identifies your AWS account. All RDS instances created within your account will use the same string identifier, so just grab that section from an existing RDS instance and you can piece together the full name based on the name you give the database and the region you launch it in.
If you want to have an easy to read/remember DNS name then you can always use Route 53 to assign another name as an alias to this.