ec2-metadatafs: cat your AWS EC2 metadata
ec2-metadatafs exposes AWS EC2
metadata as a filesystem for easy ls,
cat, and greping. It relies on FUSE to mount a user-space filesystem with
files exposing the EC2 metadata and, optionally, the tags on the instance in the form of a readonly filesystem.
Example:
$ mkdir /var/run/aws
$ ec2-metadatafs --tags /var/run/aws
$ tree /var/run/aws
/var/run/aws
βββ dynamic
βΒ Β βββ instance-identity
βΒ Β βββ document
βΒ Β βββ dsa2048
βΒ Β βββ pkcs7
βΒ Β βββ rsa2048
βΒ Β βββ signature
βββ meta-data
βΒ Β βββ ami-id
βΒ Β βββ ami-launch-index
βΒ Β βββ ami-manifest-path
βΒ Β βββ block-device-mapping
βΒ Β βΒ Β βββ ami
βΒ Β βΒ Β βββ root
βΒ Β βββ hostname
βΒ Β βββ iam
βΒ Β βΒ Β βββ info
βΒ Β βΒ Β βββ security-credentials
βΒ Β βΒ Β βββ test
βΒ Β βββ instance-action
βΒ Β βββ instance-id
βΒ Β βββ instance-type
βΒ Β βββ local-hostname
βΒ Β βββ local-ipv4
βΒ Β βββ mac
βΒ Β βββ metrics
βΒ Β βββ network
βΒ Β βΒ Β βββ interfaces
βΒ Β βΒ Β βββ macs
βΒ Β βΒ Β βββ 06:5e:69:f7:53:ed
βΒ Β βΒ Β βββ device-number
βΒ Β βΒ Β βββ interface-id
βΒ Β βΒ Β βββ local-hostname
βΒ Β βΒ Β βββ local-ipv4s
βΒ Β βΒ Β βββ mac
βΒ Β βΒ Β βββ owner-id
βΒ Β βΒ Β βββ security-group-ids
βΒ Β βΒ Β βββ security-groups
βΒ Β βΒ Β βββ subnet-id
βΒ Β βΒ Β βββ subnet-ipv4-cidr-block
βΒ Β βΒ Β βββ vpc-id
βΒ Β βΒ Β βββ vpc-ipv4-cidr-block
βΒ Β βββ placement
βΒ Β βΒ Β βββ availability-zone
βΒ Β βββ profile
βΒ Β βββ public-keys
βΒ Β βΒ Β βββ 0
βΒ Β βΒ Β βββ openssh-key
βΒ Β βββ reservation-id
βΒ Β βββ security-groups
βΒ Β βββ services
βΒ Β βββ domain
βΒ Β βββ amazonaws.com
βββ tags
βΒ Β βββ createdBy
βΒ Β βββ name
βΒ Β βββ role
βββ user-data
16 directories, 42 files
$ cat /var/run/aws/meta-data/instance-id
i-1234567890
$ cat /var/run/aws/user-data
#! /bin/bash
echo 'Hello world'
$ cat /var/run/aws/tags/name
My Instance Name
Advantages over curl http://169.254.169.254
- Support for tags
- Use filesystem permissions to control access
- Use traditional unix tools to walk and interrogate the tree
- Tab completion of paths
- No need to remember the special IP address of the service
Advantages over the ec2-metadata tool
- Support for tags
- No need to
cutthe output of commands to get just the field - Can use filesystem permissions to control access
- Access to all metadata fields, not just the limited subset the tool returns
Feedback and feature requests are welcome!
Installing
Release packages
Packages are built for Arch Linux, CentOS, Debian, Fedora and Ubuntu. See releases to install one of these.
Binary installation
Linux (64 bit)
curl -sL https://github.com/jszwedko/ec2-metadatafs/releases/download/0.4.0/linux_amd64 > ec2-metadatafs
sudo mv ec2-metadatafs /usr/bin/
sudo chmod +x /usr/bin/ec2-metadatafsLinux (32 bit)
curl -sL https://github.com/jszwedko/ec2-metadatafs/releases/download/0.4.0/linux_386 > ec2-metadatafs
sudo mv ec2-metadatafs /usr/bin/
sudo chmod +x /usr/bin/ec2-metadatafsFrom source
Install the latest via: GOVENDOREXPERIMENT=1 go get github.com/jszwedko/ec2-metadatafs (requires Go >= 1.5 to be installed).
Usage
Usage:
ec2-metadatafs [OPTIONS] mountpoint
ec2metadatafs mounts a FUSE filesystem which exposes the EC2 instance metadata
(and optionally the tags) of the host as files and directories rooted at the
given location.
Application Options:
-v, --verbose Print verbose logs, can be specified multiple times (up to 2)
-f, --foreground Run in foreground
-V, --version Display version info
-e, --endpoint= EC2 metadata service HTTP endpoint (default: http://169.254.169.254/latest/)
-c, --cachesec= Number of seconds to cache files attributes and directory listings. 0 to disable, -1 for
indefinite. (default: 0)
-t, --tags Mount EC2 instance tags at <mount point>/tags
-o, --options= Mount options, see below for description
-n, --no-syslog Disable syslog when daemonized
-F, --syslog-facility= Syslog facility to use when daemonized (see below for options) (default: USER)
AWS Credentials (only used when mounting tags):
--aws-access-key-id= AWS Access Key ID (adds to credential chain, see below)
--aws-secret-access-key= AWS Secret Access key (adds to credential chain, see below)
--aws-session-token= AWS session token (adds to credential chain, see below)
Help Options:
-h, --help Show this help message
Arguments:
mountpoint: Directory to mount the filesystem at
Mount options:
-o debug Enable debug logging, same as -v
-o fuse_debug Enable fuse_debug logging (implies debug), same as -vv
-o endpoint=ENDPOINT EC2 metadata service HTTP endpoint, same as --endpoint=
-o tags Mount the instance tags at <mount point>/tags, same as --tags
-o aws_access_key_id=ID AWS API access key (see below), same as --aws-access-key-id=
-o aws_secret_access_key=KEY AWS API secret key (see below), same as --aws-secret-access-key=
-o aws_session_token=KEY AWS API session token (see below), same as --aws-session-token=
-o cachesec=SEC Number of seconds to cache files attributes and directory listings, same as --cachesec
-o syslog_facility= Syslog facility to send messages upon when daemonized (see below)
-o no_syslog Disable logging to syslog when daemonized
-o FUSEOPTION=OPTIONVALUE FUSE mount option, please see the OPTIONS section of your FUSE manual for valid options
AWS credential chain:
AWS credentials only required when mounting the instance tags (--tags or -o tags).
Checks for credentials in the following places, in order:
- Provided AWS credentials via flags or mount options
- $AWS_ACCESS_KEY_ID, $AWS_SECRET_ACCESS_KEY, and $AWS_SESSION_TOKEN environment variables
- Shared credentials file -- respects $AWS_DEFAULT_PROFILE and $AWS_SHARED_CREDENTIALS_FILE
- IAM role associated with the instance
Note that the AWS session token is only needed for temporary credentials from AWS security token service.
Caching:
Caching of the following is supported and controlled via the cachesec parameter:
* File attributes
* Directory attributes
* Directory listings
When accessed this metadata will be cached for the number of seconds specified
by cachesec. Use 0, the default, to disable caching and -1 to cache
indefinitely (good if you never expect instance metadata to change). This cache
is kept in memory and lost when the process is restarted.
Valid syslog facilities:
KERN, USER, MAIL, DAEMON, AUTH, SYSLOG, LPR, NEWS, UUCP, CRON, AUTHPRIV, FTP, LOCAL0, LOCAL1, LOCAL2, LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7
Version:
0.3.0-16-gb73643f-dirty ('b73643f6a5aface7e405429779e8554a7b3767c8')
Author:
Jesse Szwedko
Project Homepage:
http://github.com/jszwedko/ec2-metadatafs
Report bugs to:
http://github.com/jszwedko/ec2-metadatafs/issues
Automatic mounting
You can have it automatically mount by adding the following to /etc/fstab:
ec2-metadatafs /var/run/aws fuse _netdev,allow_other 0 0
Or
ec2-metadatafs /var/run/aws fuse _netdev,allow_other,tags 0 0
if you want to mount the tags as well (requires AWS API credentials -- described below).
AWS permissions
If you are mounting the instance tags, AWS API credentials are required. It is recommended that you associate an IAM instance role with your instances to support this (see iam-roles for details) to avoid the usual issues with static credentials, but you can also provide credentials via the environment, command line flags, or a file.
These credentials have access to query for the AWS API for tags -- example IAM policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [ "ec2:DescribeTags"],
"Resource": ["*"]
}
]
}
See Usage section for more details on credential sources.
Developing
- Building:
make build - Testing:
make test - Building cross compiled binaries:
make dist(will install gox if needed)