EC2 Instance IAM Role Credentials in Lambda Function

0

I am trying to pull the EC2 instance IAM Role credentials from the Lambda function. However, it does work when I run simply REST API or script locally on an EC2 instance but not sure I to retrieve EC2 metadata using boto3.

Running below rest endpoint locally is working fine but this does not work via Lambda where the local environment is different.

http://169.254.169.254/latest/meta-data/iam/security-credentials/{iam_role}

Use Case: I have an IAM Role associated with the EC2 Instance, The same IAM Role is used by many other external applications like ServiceNow, and Salesforce to Invoke other AWS Services, especially API Gateways. To invoke the API gateway from ServiceNow, we need the Access key and secret key of the IAM role. Since EC2 metadata automatically refreshes the Access key and secret key, I want to use that instead of manually rotating secret keys in the IAM role and updating in ServiceNow manually.

BTW: Lambda and EC2 are in the same region, same account, and deployed within the same VPC.

2 Answers
0

Lambda doesnt run on an EC2 therefore you will not be able to retrieve endpoint METADATA the same way you do from EC2s

Using get_caller_identity with boto3 should return the current details of what the Lambda function is running as if using python

https://boto3.amazonaws.com/v1/documentation/api/latest/reference/services/sts/client/get_caller_identity.html

profile picture
EXPERT
answered 9 months ago
0

Hi, you can run a shell script on your EC2 instance by using SendCommand API, and retrieve its result with GetCommandInvocation API.

Here's an example execution:

$ aws ssm send-command \
> --document-name AWS-RunShellScript \
> --instance-ids i-035c05a2fdb7a42ef \
> --parameters '{"commands": ["TOKEN=`curl -s -X PUT -H \"X-aws-ec2-metadata-token-ttl-seconds: 21600\" http://169.254.169.254/latest/api/token` && curl -s -H \"X-aws-ec2-metadata-token: $TOKEN\" http://169.254.169.254/latest/meta-data/iam/security-credentials/fastapi-server-EC2InstanceRole-ap-northeast-1"]}' \
> --query Command.CommandId \
> --output text
a840ec32-4504-4960-a767-52d003fbeeb8

$ aws ssm get-command-invocation \
> --command-id a840ec32-4504-4960-a767-52d003fbeeb8 \
> --instance-id i-035c05a2fdb7a42ef \
> --query StandardOutputContent | jq -r
{
  "Code" : "Success",
  "LastUpdated" : "2023-10-04T23:16:06Z",
  "Type" : "AWS-HMAC",
  "AccessKeyId" : "ASIAXOXK2FXORLKOCEF4",
  "SecretAccessKey" : "yMQjNT2s0Xm/Ic48dWv1UQm5hE/UyguFOaQz0XNE",
  "Token" : "IQoJb3JpZ2luX2VjEEcaDmFwLW5vcnRoZWFzdC0xIkgwRgIhALTWC3u7Ka5pCruhI5vGlq2AqZbbOIq4y90KkfNhmpQLAiEAntYxpRWY8H+OdClBmi5z1F/q+y74ioQ8WUx4EPoBdosqywUIUBAAGgw1MTI2NjcyOTkyOTMiDAvdhHpymHlwXbRZNCqoBYovYanbyzufNf9qq7fKSWSymy+BMnhcaIGNxxX8bQkcrgiwsKovAd4iaXBJVSoQzxvkle2Ht0Sgt6+L+edxIIcfIqT0ThZVGtLQziIcsiIohi0tOsyvek2Rpn9Q9SEX2OaSK4G8nxBpV95QR3wPCZRO73QqnPnKpOA1hshqESBhT07PKpTMmT0w9ZsQ0ZfeVtutzeKHvkeeuxaKnjWr5YtiEjdqkVq87pTrlNUV0rZ3QYkrDMWSy8iuvT9/nm+F1OUOMNWNuBABwQPjQd1XIKhDmXcVpdj2MAzgWf04dRL1O/QnclOK9UQux43editB4psHfy09E8Vjokri4FkZZRzluXPG+GuT26tqR/KDkKQ0e4F67J4WjxegWFgaOTQ06PrdSB1NqIAnyMZywYPFA2ikZRMAqNjtAx8CQy0R3kM1ZR1vxuPBKmGMGI+Hp+fZSPOsVmZEw9zEaTInh1hqzjnXxVXau2EdIQDy+OMLy/1M46SxNiMHcZJB65djElIOFRSMy7eejwbfFVz3ft0PkV0nlasToxorhwiRDvqUnkWyLZkeWsRtGQCHP9joXBkmdMCF+jC6RjlgcNeOxzqjOJN3Xyn7s5XDSkkZC0VUPrRTR5e3WH2c7yAmg9Xo8Sji/k6KE5EoCZr8hOLuq6PM1/ehT1jKDUTv3f1kN3LYkbbqpmn+GluEIZJiHPc4kHTbm9+A8QV8vLmXCOFQrbsu3fh0bwqpuD92LcYa8qfYnoJF2Pe/4GPT4lOcglXOYs1bG4mL9D0U2DGdyWm3nk0MEKIQaqP2TWSj1iicVt3DTI4YYiOLnoiydAnnYVn53toPjTsrQmz4uhnJFoix7fCCgzG+bHTWkGz434dUZH98KWSux41+JhzPvWJicCSaCunvhnPEG0z2eMSyMNvk96gGOrABPwlzlAbkOLq+X5qMvsZGO5hD3+o40np4i2N+lm5QGkptAXgq5yJgl6woIbQAqnEtJ3Hiz4LTwItL5dOWGzm6juxvFbRZ0clcXJK2QDfEHp7gtxQGmz95MUPTGd67+ymPq/oG1lQka4ywZ0PgUxAYEOwEp1g34EsFGWipf1oiOMXd7ZLkcNuRTAALIOGQCi3v9XDc5R3dKn1qI1/Pw2BgyUFwQA9lhrHVTcanRPULFHs=",
  "Expiration" : "2023-10-05T05:31:10Z"
}

Here, I used AWS CLI for demonstration purposes, but you can use AWS SDK in Lambda to achieve the same goal.

profile picture
HS
answered 9 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions