Today I learned about the userData instance attribute for AWS EC2.
https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-metadata.html
In general I thought metadata was only things you can hit from WITHIN the instance via the metadata url: http://169.254.169.254/latest/meta-data/
However, if you read the link above there is an option to add metadata at boot time.
You can also use instance metadata to access user data that you specified when launching your instance. For example, you can specify parameters for configuring your instance, or attach a simple script.
That's interesting right?!?! so if you have some AWS creds the easiest way to check for this (after you enumerate instance IDs) is with the aws cli.
$ aws ec2 describe-instance-attribute --attribute userData --instance-id i-0XXXXXXXX
An error occurred (InvalidInstanceID.NotFound) when calling the DescribeInstanceAttribute operation: The instance ID 'i-0XXXXXXXX' does not exist
ah crap, you need the region...
$ aws ec2 describe-instance-attribute --attribute userData --instance-id i-0XXXXXXXX --region us-west-1
{
"InstanceId": "i-0XXXXXXXX",
"UserData": {
"Value": "bm90IHRvZGF5IElTSVMgOi0p"}
anyway that can get tedious especially if the org has a ton of things running. This is precisely the reason @cktricky and I built weirdAAL. Surely no one would be sticking creds into things at boot time via shell scripts :-)
The module loops trough all the regions and any instances it finds and queries for the userData attribute. Hurray for automation.
That module is in the current version of weirdAAL. Enjoy.
-CG
No comments:
Post a Comment