2 Answers
- Newest
- Most votes
- Most comments
0
Lambda doesnt run on an EC2 therefore you will not be able to retrieve endpoint METADATA the same way you do from EC2s
Using get_caller_identity with boto3 should return the current details of what the Lambda function is running as if using python
0
Hi, you can run a shell script on your EC2 instance by using SendCommand API, and retrieve its result with GetCommandInvocation API.
Here's an example execution:
$ aws ssm send-command \ > --document-name AWS-RunShellScript \ > --instance-ids i-035c05a2fdb7a42ef \ > --parameters '{"commands": ["TOKEN=`curl -s -X PUT -H \"X-aws-ec2-metadata-token-ttl-seconds: 21600\" http://169.254.169.254/latest/api/token` && curl -s -H \"X-aws-ec2-metadata-token: $TOKEN\" http://169.254.169.254/latest/meta-data/iam/security-credentials/fastapi-server-EC2InstanceRole-ap-northeast-1"]}' \ > --query Command.CommandId \ > --output text a840ec32-4504-4960-a767-52d003fbeeb8 $ aws ssm get-command-invocation \ > --command-id a840ec32-4504-4960-a767-52d003fbeeb8 \ > --instance-id i-035c05a2fdb7a42ef \ > --query StandardOutputContent | jq -r { "Code" : "Success", "LastUpdated" : "2023-10-04T23:16:06Z", "Type" : "AWS-HMAC", "AccessKeyId" : "ASIAXOXK2FXORLKOCEF4", "SecretAccessKey" : "yMQjNT2s0Xm/Ic48dWv1UQm5hE/UyguFOaQz0XNE", "Token" : "IQoJb3JpZ2luX2VjEEcaDmFwLW5vcnRoZWFzdC0xIkgwRgIhALTWC3u7Ka5pCruhI5vGlq2AqZbbOIq4y90KkfNhmpQLAiEAntYxpRWY8H+OdClBmi5z1F/q+y74ioQ8WUx4EPoBdosqywUIUBAAGgw1MTI2NjcyOTkyOTMiDAvdhHpymHlwXbRZNCqoBYovYanbyzufNf9qq7fKSWSymy+BMnhcaIGNxxX8bQkcrgiwsKovAd4iaXBJVSoQzxvkle2Ht0Sgt6+L+edxIIcfIqT0ThZVGtLQziIcsiIohi0tOsyvek2Rpn9Q9SEX2OaSK4G8nxBpV95QR3wPCZRO73QqnPnKpOA1hshqESBhT07PKpTMmT0w9ZsQ0ZfeVtutzeKHvkeeuxaKnjWr5YtiEjdqkVq87pTrlNUV0rZ3QYkrDMWSy8iuvT9/nm+F1OUOMNWNuBABwQPjQd1XIKhDmXcVpdj2MAzgWf04dRL1O/QnclOK9UQux43editB4psHfy09E8Vjokri4FkZZRzluXPG+GuT26tqR/KDkKQ0e4F67J4WjxegWFgaOTQ06PrdSB1NqIAnyMZywYPFA2ikZRMAqNjtAx8CQy0R3kM1ZR1vxuPBKmGMGI+Hp+fZSPOsVmZEw9zEaTInh1hqzjnXxVXau2EdIQDy+OMLy/1M46SxNiMHcZJB65djElIOFRSMy7eejwbfFVz3ft0PkV0nlasToxorhwiRDvqUnkWyLZkeWsRtGQCHP9joXBkmdMCF+jC6RjlgcNeOxzqjOJN3Xyn7s5XDSkkZC0VUPrRTR5e3WH2c7yAmg9Xo8Sji/k6KE5EoCZr8hOLuq6PM1/ehT1jKDUTv3f1kN3LYkbbqpmn+GluEIZJiHPc4kHTbm9+A8QV8vLmXCOFQrbsu3fh0bwqpuD92LcYa8qfYnoJF2Pe/4GPT4lOcglXOYs1bG4mL9D0U2DGdyWm3nk0MEKIQaqP2TWSj1iicVt3DTI4YYiOLnoiydAnnYVn53toPjTsrQmz4uhnJFoix7fCCgzG+bHTWkGz434dUZH98KWSux41+JhzPvWJicCSaCunvhnPEG0z2eMSyMNvk96gGOrABPwlzlAbkOLq+X5qMvsZGO5hD3+o40np4i2N+lm5QGkptAXgq5yJgl6woIbQAqnEtJ3Hiz4LTwItL5dOWGzm6juxvFbRZ0clcXJK2QDfEHp7gtxQGmz95MUPTGd67+ymPq/oG1lQka4ywZ0PgUxAYEOwEp1g34EsFGWipf1oiOMXd7ZLkcNuRTAALIOGQCi3v9XDc5R3dKn1qI1/Pw2BgyUFwQA9lhrHVTcanRPULFHs=", "Expiration" : "2023-10-05T05:31:10Z" }
Here, I used AWS CLI for demonstration purposes, but you can use AWS SDK in Lambda to achieve the same goal.
answered 8 months ago
Relevant content
- asked 7 months ago
- AWS OFFICIALUpdated 9 months ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated 6 months ago
- AWS OFFICIALUpdated 10 months ago
Thanks, @Gary I have updated the original post with the use case, I hope that helps.
I see what you’re trying to achieve but I don’t think it’s possible. You’d want to use something like OIDC in your account to grab credentials externally and grant access via a role. I’ve done this before with terraform cloud but not everyone supports this method of authentication.
https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_oidc.html