AWS Retrieving Security Credentials from Instance Metadata

7
votes

This is not a duplicate of the question "Getting my AWS credentials using an API call" because I am asking specifically about what Amazon means in the example that they give.

I am looking here: http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-roles-for-amazon-ec2.html

I see this bit:

Warning

If you use services that use instance metadata with IAM roles, ensure that you don't expose your credentials when the services make HTTP calls on your behalf. The types of services that could expose your credentials include HTTP proxies, HTML/CSS validator services, and XML processors that support XML inclusion.

The following command retrieves the security credentials for an IAM role named s3access.

$ curl http://169.254.169.254/latest/meta-data/iam/security-credentials/s3access

Where does this IP address come from? What is 169.254.169.254? It can't be my server, since I don't have software running on port 80, nor would I grant Amazon an alias on my server.

But I did actually run the above, and it simply timed out. So the IP address 169.254.169.254 is not a service that Amazon is actively running. So what is it?

Does anyone understand this example that Amazon offers?

2
amazon-web-services
You did query this address from inside AWS, on an an EC2 instance, yes? This only works from inside EC2. - Michael - sqlbot
I've been running a similar call (curl 169.254.169.254/latest/meta-data/iam/security-credentials) from within an EC2 instance but it is actually timing out. Somewhere around 30 seconds. Does this just take a long time to respond or is there some way to work through that timing? - DNestoff
yeah ... this IP out of the box is something we were really NOT expecting mafrend... it is a hardcoded metadata server IP as folks explained below ... but for heavens sake ! AWS should at least document it clearly as I gues the goal was to avoid non configured DNS boxes kind of thing but even then make it CLEAR at the docs please. - Mário de Sá Vera

2 Answers

18
votes

169.254 is within the link-local address space: https://en.wikipedia.org/wiki/Link-local_address

It's usually used for a lot of localhost/local-subnet use cases. Amazon happens to put their metadata service at 169.254.169.254 so that it can be queried from EC2 Instances.

curl http://169.254.169.254/latest/meta-data

Should always return something, the full http://169.254.169.254/latest/meta-data/iam/security-credentials/s3access will only return something if you had an IAM role attached to your instance named s3access.

9
votes

169.254.169.254 is the address of the AWS metadata service. You can query this address from an EC2 server to obtain information about the server. The metadata that can be obtained in this manner is documented here.

Are you saying that when you run that curl command from an EC2 server it is timing out?