Neeraj Singh

AWS EC2 instance metadata and userdata

Instance Metadata:

Instance metadata is data about your instance that you can use to configure or manage the running instance 

Quick background:

  • Instance metadata is data about an instance that can be used to manage the instance.
  • Can be viewed by anyone who has access to the instance.
  • Must not be used to store sensitive information such as passwords 
  • Curl or GET commands can be used. 
  • Results are returned as plain text and data is listed in separate lines 
  • Dynamic data retrieves Instance identity information.
  • Can be accessed using the URL http://169.254.169.254/latest/dynamic/ 

Note: Although you can only access instance metadata and user data from within the instance itself, the data is not protected by cryptographic methods. Anyone who can access the instance can view its metadata. Therefore, you should take suitable precautions to protect sensitive data (such as long-lived encryption keys). You should not store sensitive data, such as passwords, as user data. 

You can also use instance metadata to access user data that you specified when launching your instance. For example, you can specify parameters for configuring your instance, or attach a simple script. You can also use this data to build more generic AMIs that can be modified by configuration files supplied at launch time. For example, if you run web servers for various small businesses, they can all use the same AMI and retrieve their content from the Amazon S3 bucket you specify in the user data at launch. To add a new customer at any time, simply create a bucket for the customer, add their content, and launch your AMI. If you launch more than one instance at the same time, the user data is available to all instances in that reservation. 

EC2 instances can also include dynamic data, such as an instance identity document that is generated when the instance is launched 

Retrieving Instance Metadata 

Because your instance metadata is available from your running instance, you do not need to use the Amazon EC2 console or the AWS CLI. This can be helpful when you’re writing scripts to run from your instance. For example, you can access the local IP address of your instance from instance metadata to manage a connection to an external application. 

To view all categories of instance metadata from within a running instance, use the following URI: 

[ec2-user ~]$ curl http://169.254.169.254/latest/meta-data/

Note that you are not billed for HTTP requests used to retrieve instance metadata and user 

These examples get the value of some of the metadata items from the preceding example. 

[ec2-user ~]$ curl http://169.254.169.254/latest/meta-data/ami-id 
result: ami-12345678 

[ec2-user ~]$ curl http://169.254.169.254/latest/meta-data/local-hostname  

result: ip-10-251-50-12.ec2.internal 

[ec2-user ~]$ curl http://169.254.169.254/latest/meta-data/public-hostname  

result: ec2-203-0-113-25.compute-1.amazonaws.com 

[ec2-user ~]$ curl http://169.254.169.254/latest/meta-data/network/interfaces/macs/02:29:96:8f:6a:2d/subnet-id  

result: subnet-be9b61d7

Throttling 

Throttling of queries to the instance metadata service is done on a per-instance basis.

If you’re using the instance metadata service to retrieve AWS security credentials, avoid querying for credentials during every transaction or concurrently from a high number of threads or processes, as this may lead to throttling. Instead, we recommend that you cache the credentials until they start approaching their expiry time. 

If you’re throttled while accessing the instance metadata service, retry your query with an exponential back off strategy. 

Install Instance metadata tool

#!/bin/bash
wget http://s3.amazonaws.com/ec2metadata/ec2-metadata
chmod u+x ec2-metadata
./ec2-metadata --help

Instance User data:

User data is the config data that can be setup while launching EC2 instance and will be executed only at boot time.

Quick background:

  • Commonly known as bootstrap script 
  • If an instance is restarted with modified user data, it will not be executed 
  • Accessed using URL: http://169.254.169.254/latest/user-data 
  • API submission requires base64 encoding.
  • User data is limited to 16 KB. This limit applies to the data in raw form, not base64-encoded form. 

Modify Instance User Data 

You can modify user data for an instance in the stopped state if the root volume is an EBS volume. 

Retrieve Instance User Data 

To retrieve user data from within a running instance, use the following URI: 

http://169.254.169.254/latest/user-data

A request for user data returns the data as it is (content type application/octet-stream). 

This example returns user data that was provided as comma-separated text: 

[ec2-user ~]$ curl http://169.254.169.254/latest/user-data 
1234,john,reboot,true | 4512,richard, | 173,,,

This example returns user data that was provided as a script.

[ec2-user ~]$ TOKEN=`curl -X PUT "http://169.254.169.254/latest/api/token" -H "X-aws-ec2-metadata-token-ttl-seconds: 21600"` \
&& curl -H "X-aws-ec2-metadata-token: $TOKEN" -v http://169.254.169.254/latest/user-data
#!/bin/bash
yum update -y
service httpd start
chkconfig httpd on

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s