Use Awscli and Boto3 From Inside Ec2 Instance the Easy Way

Today i was looking into add a feature to access an aws service from an ec2 instance. The first thing that came to my mind was to use the awscli and boto3 libraries. I noticed that passing the secret manually is a pain and thought to myself that there must be a better way to do it. It turns out that it does exist and it is called AWS Instance Metadata Service v2 (IMDSV2)

IMDSv2

The Instance Metadata Service (IMDS) helps code on EC2 instance access instance metadata. IMDS provides a great amount of information about instances. This includes hostname, security group, MAC address and much more. This includes another nifty feature called AWS: InstanceProfile

EC2 Instance Profile

Instance Profile is a container that allows an EC2 Instance to possess an IAM Role. With this it becomes possible to access AWS Services from inside the EC2 without passing AWS_SECRET_KEY and AWS_SECRET_ACCESS_KE manually. It can be attached/detached easily even when the instance is running.

So adding this all together here’s how to implement it:

1. Create new IAM Role : S3ReaderRole
2. Create new IAM Policy : S3ReaderPolicy
3. Attach the policy to the role
4. Apply the IAM Role to the EC2 Instance using AWS Instance Profile
5. Go to EC2 Page and select the instance then : Select Instance > Actions > Security > Modify IAM Role > Select the IAM Role

After this you can access the aws services from inside the EC2 instance without passing the secret manually. The following code would work out of the box without setup:

$aws secretsmanager get-secret-value \
--secret-id my-test-secret \
--query SecretString \
--output text
this-is-my-secret

s3_client = boto3.client("s3")