1 00:00:00,478 --> 00:00:02,375 So one more concept is called the 2 00:00:02,375 --> 00:00:05,666 EC2 Instance Metadata, it's a very powerful one 3 00:00:05,666 --> 00:00:07,536 and I think it's one of the least known feature 4 00:00:07,536 --> 00:00:09,615 to developers, so it's really good. 5 00:00:09,615 --> 00:00:10,986 And when you discover it, you're like wow, 6 00:00:10,986 --> 00:00:13,520 this is kind of awesome, so let's go through this. 7 00:00:13,520 --> 00:00:15,610 It basically allows your EC2 instances to learn 8 00:00:15,610 --> 00:00:17,226 about themselves, so they don't have 9 00:00:17,226 --> 00:00:19,529 to use an IAM role for that purpose. 10 00:00:19,529 --> 00:00:20,598 And that kind of makes sense right? 11 00:00:20,598 --> 00:00:22,716 Your EC2 instances should be able to know 12 00:00:22,716 --> 00:00:25,216 who they are and the URL for it, 13 00:00:25,216 --> 00:00:27,263 and this something you should remember, is 14 00:00:27,263 --> 00:00:31,763 169.254.169.254/latest/meta-data 15 00:00:35,491 --> 00:00:38,109 and this is very, very, important. 16 00:00:38,109 --> 00:00:41,892 This IP 169.254.169.254 is basically 17 00:00:41,892 --> 00:00:44,392 an internal IP to AWS, it will not work 18 00:00:44,392 --> 00:00:46,466 from your computer, it will only work 19 00:00:46,466 --> 00:00:49,497 from your EC2 instances, and using this, 20 00:00:49,497 --> 00:00:51,192 you can retrieve the IAM role name 21 00:00:51,192 --> 00:00:52,441 from the Metadata, but you cannot 22 00:00:52,441 --> 00:00:54,234 retrieve the IAM policy, right? 23 00:00:54,234 --> 00:00:56,977 The only way to test the IAM policy is 24 00:00:56,977 --> 00:00:59,708 to use the policy simulator or the dry run options. 25 00:00:59,708 --> 00:01:01,296 But we cannot retrieve the content 26 00:01:01,296 --> 00:01:04,322 of the IAM policy, using this URL. 27 00:01:04,322 --> 00:01:07,324 Just to remember, the Metadata is the info 28 00:01:07,324 --> 00:01:09,790 about the EC2 instance that we'll see in a second, 29 00:01:09,790 --> 00:01:13,197 where as the user data, was to launch a script 30 00:01:13,197 --> 00:01:15,858 of the EC2 instance, okay? 31 00:01:15,858 --> 00:01:17,616 They are very, very, different concepts 32 00:01:17,616 --> 00:01:19,675 and we'll be able to access both. 33 00:01:19,675 --> 00:01:21,706 So let's practice and see what we can do 34 00:01:21,706 --> 00:01:24,834 with this EC2 Instance Metadata. 35 00:01:24,834 --> 00:01:27,529 So here I am in my EC2 instance 36 00:01:27,529 --> 00:01:29,374 and the first thing I want to do is curl, 37 00:01:29,374 --> 00:01:32,502 so curl is to query a URL and I will do a curl 38 00:01:32,502 --> 00:01:35,669 on 169.254.169.254 and what we get out 39 00:01:40,089 --> 00:01:43,033 of it is a bunch of numbers and dates. 40 00:01:43,033 --> 00:01:45,778 This is basically the version of the API curl that 41 00:01:45,778 --> 00:01:48,609 you're using and what I said is that, 42 00:01:48,609 --> 00:01:50,255 for now we really don't care about the 43 00:01:50,255 --> 00:01:53,997 API curl version and we'll just use slash, latest. 44 00:01:53,997 --> 00:01:57,982 Now, when I run slash latest, let's just go right here, 45 00:01:57,982 --> 00:01:59,403 slash latest, and you make sure 46 00:01:59,403 --> 00:02:03,551 to always add the last slash, we get two 47 00:02:03,551 --> 00:02:07,284 different fields, dynamic and metadata 48 00:02:07,284 --> 00:02:09,018 and actually right here as well, you probably 49 00:02:09,018 --> 00:02:11,049 don't see it, that's the third one, I'm sorry. 50 00:02:11,049 --> 00:02:14,091 It is user data, so as you can see from this, 51 00:02:14,091 --> 00:02:18,359 you're able to retrieve the metadata and the user data. 52 00:02:18,359 --> 00:02:20,040 We're not interested into the user data right now, 53 00:02:20,040 --> 00:02:21,870 we're interested into the metadata. 54 00:02:21,870 --> 00:02:24,658 So let's go ahead and add metadata. 55 00:02:24,658 --> 00:02:28,335 Always, never forget to add the slash at the very end. 56 00:02:28,335 --> 00:02:30,744 From this, we get a bunch of different options. 57 00:02:30,744 --> 00:02:33,616 We get AMI ID, launch index, host 58 00:02:33,616 --> 00:02:35,826 name, IAM, et cetera, et cetera. 59 00:02:35,826 --> 00:02:38,537 Anytime it ends with a slash, that means that there is 60 00:02:38,537 --> 00:02:40,697 more to it, for example, IAM, there's a slash, 61 00:02:40,697 --> 00:02:43,018 there's more to it, when it doesn't end 62 00:02:43,018 --> 00:02:45,448 with a slash, that means it's a value. 63 00:02:45,448 --> 00:02:48,177 So if we look for example, at the instance ID, 64 00:02:48,177 --> 00:02:51,389 we'll do curl, instance, ID and what we get out 65 00:02:51,389 --> 00:02:54,823 of it is my instance ID, pretty awesome right? 66 00:02:54,823 --> 00:02:57,858 We could do the same with the local IPV four. 67 00:02:57,858 --> 00:03:02,031 So local IPV four and we get the local IPV four 68 00:03:02,031 --> 00:03:05,866 of our EC2 instance, so what you noticed here is that 69 00:03:05,866 --> 00:03:09,266 we haven't been authorized through an IM role 70 00:03:09,266 --> 00:03:11,875 to get this information, This comes for free. 71 00:03:11,875 --> 00:03:15,051 Any EC2 instance without an IM role can request all 72 00:03:15,051 --> 00:03:17,238 this information, and it is very important 73 00:03:17,238 --> 00:03:19,194 for you to learn to navigate through it, 74 00:03:19,194 --> 00:03:21,171 it's quite helpful when you do automation. 75 00:03:21,171 --> 00:03:22,696 So for example, if I do host name, 76 00:03:22,696 --> 00:03:26,044 I get the host name, and if I do IAM, as we'll see 77 00:03:26,044 --> 00:03:28,651 in a second, we'll have more values to look at. 78 00:03:28,651 --> 00:03:31,459 For example, info and there is this very one called 79 00:03:31,459 --> 00:03:33,737 security credentials, so I'll just give 80 00:03:33,737 --> 00:03:35,860 you a little insider about how things work. 81 00:03:35,860 --> 00:03:38,817 Basically, when you attach an EC2 instance role, 82 00:03:38,817 --> 00:03:41,197 and you type security credentials, 83 00:03:41,197 --> 00:03:44,019 you're going to get the role name, 84 00:03:44,019 --> 00:03:46,775 which is right here, my first EC2 role. 85 00:03:46,775 --> 00:03:50,712 So my first EC2 role and what we get out 86 00:03:50,712 --> 00:03:52,690 of this is an access key. 87 00:03:52,690 --> 00:03:55,148 A secret access key and a token, 88 00:03:55,148 --> 00:03:58,752 and so behind the scenes, when you attach an IAM role, 89 00:03:58,752 --> 00:04:01,497 to an EC2 instance, the way for it 90 00:04:01,497 --> 00:04:04,158 to perform API goals is that it queries 91 00:04:04,158 --> 00:04:07,363 this whole URL right here, which it gets an 92 00:04:07,363 --> 00:04:10,369 access key ID, a secret access key and a token. 93 00:04:10,369 --> 00:04:13,803 And it turns out that this is a short lived credentials. 94 00:04:13,803 --> 00:04:15,607 So as you can see, there is an expiration date 95 00:04:15,607 --> 00:04:18,869 in here and that's usually something like one hour. 96 00:04:18,869 --> 00:04:21,658 And so the idea is that your EC2 instance 97 00:04:21,658 --> 00:04:25,018 gets temporary credentials through the IAM role that 98 00:04:25,018 --> 00:04:26,598 it got attached to it. 99 00:04:26,598 --> 00:04:28,962 So this is basically how the IAM roles work 100 00:04:28,962 --> 00:04:31,639 on EC2 instances, I know that not many people tell 101 00:04:31,639 --> 00:04:33,967 you about this, but I just wanted to peak 102 00:04:33,967 --> 00:04:36,789 your curiosity, and show you the full URL. 103 00:04:36,789 --> 00:04:39,713 But again, what you should remember is that using 104 00:04:39,713 --> 00:04:42,324 this metadata, not user data, metadata 105 00:04:42,324 --> 00:04:45,731 and this URL right here, 169.254., et cetera. 106 00:04:45,731 --> 00:04:48,553 You can get information about a lot of stuff 107 00:04:48,553 --> 00:04:51,282 from your EC2 instance, so I hope that was helpful 108 00:04:51,282 --> 00:04:53,508 and I will see you in the next lecture.