Understanding the 169.254.169.254 Metadata Address

·

, , ,
Understanding the 169.254.169.254 Metadata Address

The 169.254.169.254 endpoint can be accessed by an EC2 instance locally during runtime. This address provides various types of metadata that assist in operating, auditing, and maintaining an instance throughout its lifetime.

The pseudo address can be reached locally on the instance via:

http://169.254.169.254/latest/meta-data/

Beside meta data information such like ami-id, hostname, instance-id, placement (so the AZ, availability zone) it also provides security related information.

Example:

curl http://169.254.169.254/latest/meta-data/instance-type

In addition to metadata information such as AMI IDhostnameinstance ID, and placement (availability zone), it also provides security-related information.

If utilized correctly, the information provided through the 169.254.169.254 endpoint can significantly enhance code maintenance and reduce risks associated with leaked access keys in code repositories or documentation. Depending on the policies attached to those keys, this could pose high security concerns.

Increased security and simplified code

By assigning an IAM role to any EC2 instance (one at a time), security can be significantly improved, and key management becomes much easier. The need to share keys, embed them in code, or track their rotation can be eliminated in favor of enhanced security.

Example:

#curl http://169.254.169.254/latest/meta-data/iam/security-credentials/<role name>
{
  "Code" : "Success",
  "LastUpdated" : "2020-11-19T16:47:54Z",
  "Type" : "AWS-HMAC",
  "AccessKeyId" : "ABCDEFGHIJKLMNOPQRST",
  "SecretAccessKey" : "1234567890ABCDEFGHIJKLMNOPQRST",
  "Token" : "...",
  "Expiration" : "2020-11-19T23:14:05Z"
}

The official documents are provided at AWS here.

Code samples

PHP

GetRegion reads the placement information from the pseudo address at http://169.254.169.254/latest/meta-data/placement. With the CredentialsProvider::instanceProfile() it allows to avoid configuration handling as described.

Using CredentialsProvider::instanceProfile() allows to avoid manual configuration handling.

public function __construct()
{
    $provider = CredentialProvider::instanceProfile();
    $memoizedProvider = CredentialProvider::memoize($provider);

    $this->awsclient = new Client(
        array(
            'credentials' => $memoizedProvider,
            'region'  => $this->GetRegion();
            'version' => 'latest'
        )
    );
}

Python

session = boto3.Session(region_name=Region)
credentials = session.get_credentials()
credentials = credentials.get_frozen_credentials()

Key = credentials.access_key
Secret = credentials.secret_key
Token = credentials.token

client = boto3.client('',
            aws_access_key_id=Key,
            aws_secret_access_key=Secret,
            aws_session_token=Token,
            region_name=Region
            )

Leave a comment