Usando AWS re:Post, accetti AWS re:Post Termini di utilizzo
AWS re:Postre:Post

EC2 Instance IAM Role Credentials in Lambda Function

0

I am trying to pull the EC2 instance IAM Role credentials from the Lambda function. However, it does work when I run simply REST API or script locally on an EC2 instance but not sure I to retrieve EC2 metadata using boto3.

Running below rest endpoint locally is working fine but this does not work via Lambda where the local environment is different.

http://169.254.169.254/latest/meta-data/iam/security-credentials/{iam_role}

Use Case: I have an IAM Role associated with the EC2 Instance, The same IAM Role is used by many other external applications like ServiceNow, and Salesforce to Invoke other AWS Services, especially API Gateways. To invoke the API gateway from ServiceNow, we need the Access key and secret key of the IAM role. Since EC2 metadata automatically refreshes the Access key and secret key, I want to use that instead of manually rotating secret keys in the IAM role and updating in ServiceNow manually.

BTW: Lambda and EC2 are in the same region, same account, and deployed within the same VPC.

Argomenti
ServerlessComputazionaliSicurezza, identità e conformità
Tag
AWS LambdaGestione identità e accesso AWSAmazon EC2
Lingua
English
snowcoder_07
posta 8 mesi fa433 visualizzazioni
2 Risposte
0

Lambda doesnt run on an EC2 therefore you will not be able to retrieve endpoint METADATA the same way you do from EC2s

Using get_caller_identity with boto3 should return the current details of what the Lambda function is running as if using python

https://boto3.amazonaws.com/v1/documentation/api/latest/reference/services/sts/client/get_caller_identity.html

profile picture
ESPERTO
Gary Mclean
con risposta 8 mesi fa
0

Hi, you can run a shell script on your EC2 instance by using SendCommand API, and retrieve its result with GetCommandInvocation API.

Here's an example execution:

$ aws ssm send-command \
> --document-name AWS-RunShellScript \
> --instance-ids i-035c05a2fdb7a42ef \
> --parameters '{"commands": ["TOKEN=`curl -s -X PUT -H \"X-aws-ec2-metadata-token-ttl-seconds: 21600\" http://169.254.169.254/latest/api/token` && curl -s -H \"X-aws-ec2-metadata-token: $TOKEN\" http://169.254.169.254/latest/meta-data/iam/security-credentials/fastapi-server-EC2InstanceRole-ap-northeast-1"]}' \
> --query Command.CommandId \
> --output text
a840ec32-4504-4960-a767-52d003fbeeb8

$ aws ssm get-command-invocation \
> --command-id a840ec32-4504-4960-a767-52d003fbeeb8 \
> --instance-id i-035c05a2fdb7a42ef \
> --query StandardOutputContent | jq -r
{
  "Code" : "Success",
  "LastUpdated" : "2023-10-04T23:16:06Z",
  "Type" : "AWS-HMAC",
  "AccessKeyId" : "ASIAXOXK2FXORLKOCEF4",
  "SecretAccessKey" : "yMQjNT2s0Xm/Ic48dWv1UQm5hE/UyguFOaQz0XNE",
  "Token" : "IQoJb3JpZ2luX2VjEEcaDmFwLW5vcnRoZWFzdC0xIkgwRgIhALTWC3u7Ka5pCruhI5vGlq2AqZbbOIq4y90KkfNhmpQLAiEAntYxpRWY8H+OdClBmi5z1F/q+y74ioQ8WUx4EPoBdosqywUIUBAAGgw1MTI2NjcyOTkyOTMiDAvdhHpymHlwXbRZNCqoBYovYanbyzufNf9qq7fKSWSymy+BMnhcaIGNxxX8bQkcrgiwsKovAd4iaXBJVSoQzxvkle2Ht0Sgt6+L+edxIIcfIqT0ThZVGtLQziIcsiIohi0tOsyvek2Rpn9Q9SEX2OaSK4G8nxBpV95QR3wPCZRO73QqnPnKpOA1hshqESBhT07PKpTMmT0w9ZsQ0ZfeVtutzeKHvkeeuxaKnjWr5YtiEjdqkVq87pTrlNUV0rZ3QYkrDMWSy8iuvT9/nm+F1OUOMNWNuBABwQPjQd1XIKhDmXcVpdj2MAzgWf04dRL1O/QnclOK9UQux43editB4psHfy09E8Vjokri4FkZZRzluXPG+GuT26tqR/KDkKQ0e4F67J4WjxegWFgaOTQ06PrdSB1NqIAnyMZywYPFA2ikZRMAqNjtAx8CQy0R3kM1ZR1vxuPBKmGMGI+Hp+fZSPOsVmZEw9zEaTInh1hqzjnXxVXau2EdIQDy+OMLy/1M46SxNiMHcZJB65djElIOFRSMy7eejwbfFVz3ft0PkV0nlasToxorhwiRDvqUnkWyLZkeWsRtGQCHP9joXBkmdMCF+jC6RjlgcNeOxzqjOJN3Xyn7s5XDSkkZC0VUPrRTR5e3WH2c7yAmg9Xo8Sji/k6KE5EoCZr8hOLuq6PM1/ehT1jKDUTv3f1kN3LYkbbqpmn+GluEIZJiHPc4kHTbm9+A8QV8vLmXCOFQrbsu3fh0bwqpuD92LcYa8qfYnoJF2Pe/4GPT4lOcglXOYs1bG4mL9D0U2DGdyWm3nk0MEKIQaqP2TWSj1iicVt3DTI4YYiOLnoiydAnnYVn53toPjTsrQmz4uhnJFoix7fCCgzG+bHTWkGz434dUZH98KWSux41+JhzPvWJicCSaCunvhnPEG0z2eMSyMNvk96gGOrABPwlzlAbkOLq+X5qMvsZGO5hD3+o40np4i2N+lm5QGkptAXgq5yJgl6woIbQAqnEtJ3Hiz4LTwItL5dOWGzm6juxvFbRZ0clcXJK2QDfEHp7gtxQGmz95MUPTGd67+ymPq/oG1lQka4ywZ0PgUxAYEOwEp1g34EsFGWipf1oiOMXd7ZLkcNuRTAALIOGQCi3v9XDc5R3dKn1qI1/Pw2BgyUFwQA9lhrHVTcanRPULFHs=",
  "Expiration" : "2023-10-05T05:31:10Z"
}

Here, I used AWS CLI for demonstration purposes, but you can use AWS SDK in Lambda to achieve the same goal.

profile picture
HS
con risposta 8 mesi fa

Accesso non effettuato. Accedi per postare una risposta.

Una buona risposta soddisfa chiaramente la domanda, fornisce un feedback costruttivo e incoraggia la crescita professionale del richiedente.

Linee guida per rispondere alle domande

Contenuto pertinente