1 00:00:00,000 --> 00:00:02,520 ‫So now let's talk about EC2 instance metadata 2 00:00:02,520 --> 00:00:04,110 ‫or IMDS. 3 00:00:04,110 --> 00:00:05,370 ‫It's a very powerful feature, 4 00:00:05,370 --> 00:00:07,620 ‫but not many developers know about it, 5 00:00:07,620 --> 00:00:10,620 ‫and this is how C two works as it is. 6 00:00:10,620 --> 00:00:12,150 ‫So let's go over it. 7 00:00:12,150 --> 00:00:15,357 ‫So the idea is that with these instance metadata service 8 00:00:15,357 --> 00:00:17,940 ‫the IMDS, you have C two instances 9 00:00:17,940 --> 00:00:19,560 ‫that can learn about themselves 10 00:00:19,560 --> 00:00:21,390 ‫without using an IAM Role for that purpose. 11 00:00:21,390 --> 00:00:24,360 ‫So they can just talk to a specific URL 12 00:00:24,360 --> 00:00:29,190 ‫this 169. 254.169.254 13 00:00:29,190 --> 00:00:31,920 ‫and then they're able to learn about their own metadata. 14 00:00:31,920 --> 00:00:34,470 ‫We'll see this in the hands-on in the next lecture. 15 00:00:34,470 --> 00:00:36,030 ‫So the idea is that from the metadata 16 00:00:36,030 --> 00:00:38,550 ‫you can know the instance name, you can know the public IP 17 00:00:38,550 --> 00:00:40,650 ‫the private IP, you can know a lot of things. 18 00:00:40,650 --> 00:00:43,590 ‫And also you can retrieve the IAM Role name 19 00:00:43,590 --> 00:00:45,600 ‫from the EC2 instance metadata. 20 00:00:45,600 --> 00:00:48,060 ‫You can even get some credentials out of it, 21 00:00:48,060 --> 00:00:51,720 ‫but you cannot know what IAM policy is attached to the role. 22 00:00:51,720 --> 00:00:55,380 ‫So metadata means information about the instance 23 00:00:55,380 --> 00:00:58,800 ‫and user data that we've seen before is the launch script 24 00:00:58,800 --> 00:01:00,600 ‫of the EC2 instance. 25 00:01:00,600 --> 00:01:03,180 ‫So this URL allows us to access both the metadata 26 00:01:03,180 --> 00:01:04,013 ‫and the user data. 27 00:01:04,013 --> 00:01:05,250 ‫but in this lecture we're looking 28 00:01:05,250 --> 00:01:07,830 ‫at the metadata service. 29 00:01:07,830 --> 00:01:08,663 ‫So we can practice 30 00:01:08,663 --> 00:01:10,725 ‫in next lecture and see what we can do with it. 31 00:01:10,725 --> 00:01:12,840 ‫But first, I want to tell you about the two versions 32 00:01:12,840 --> 00:01:14,790 ‫of the IMDS service. 33 00:01:14,790 --> 00:01:17,550 ‫So IMDSv1, which is the instance metadata 34 00:01:17,550 --> 00:01:22,080 ‫data service v1 is accessing the URL directly 35 00:01:22,080 --> 00:01:24,030 ‫and everything works out of the box. 36 00:01:24,030 --> 00:01:28,440 ‫But with the rollout of Amazon, the next 2023, 37 00:01:28,440 --> 00:01:29,940 ‫there is IMDSv2, 38 00:01:29,940 --> 00:01:33,900 ‫that's enabled by default and it's a more secure version. 39 00:01:33,900 --> 00:01:36,090 ‫And to access the metadata service, 40 00:01:36,090 --> 00:01:37,500 ‫you actually need to do two steps. 41 00:01:37,500 --> 00:01:40,110 ‫The first one is to get the session token 42 00:01:40,110 --> 00:01:43,770 ‫by using a PUT command, and we'll see this in the hand-on, 43 00:01:43,770 --> 00:01:45,150 ‫and then from this token, 44 00:01:45,150 --> 00:01:50,150 ‫we can call the IMDS URL bypassing in the token as a header; 45 00:01:50,520 --> 00:01:52,319 ‫so it's a bit more overhead. 46 00:01:52,319 --> 00:01:54,240 ‫AWS did it for security reasons 47 00:01:54,240 --> 00:01:58,020 ‫to go from IMDSv1 to a MDSv2, and I will be demoing 48 00:01:58,020 --> 00:02:00,300 ‫to you how to use a more complicated version 49 00:02:00,300 --> 00:02:02,520 ‫because it's important for you to know how it works. 50 00:02:02,520 --> 00:02:03,780 ‫Okay, so that's it. 51 00:02:03,780 --> 00:02:05,530 ‫I will see you in the next lecture.