1
00:00:00,180 --> 00:00:01,770
‫So let's go ahead and practice

2
00:00:01,770 --> 00:00:05,430
‫using the EC2 instance metadata service.

3
00:00:05,430 --> 00:00:07,320
‫So I'll call this one DemoEC2.

4
00:00:07,320 --> 00:00:08,940
‫I'm just creating EC2 instance,

5
00:00:08,940 --> 00:00:10,200
‫and I wanna show you something.

6
00:00:10,200 --> 00:00:12,049
‫So, if we use Amazon Linux,

7
00:00:12,049 --> 00:00:15,840
‫and we choose Amazon Linux 2023 AMI,

8
00:00:15,840 --> 00:00:18,090
‫which is the latest AMI I have right now,

9
00:00:18,090 --> 00:00:21,540
‫and we scroll all the way down into advanced details,

10
00:00:21,540 --> 00:00:23,009
‫and we scroll down.

11
00:00:23,009 --> 00:00:26,760
‫As we can see, we'll find it in one moment.

12
00:00:26,760 --> 00:00:29,516
‫As we can see here, there is the metadata version

13
00:00:29,516 --> 00:00:34,470
‫that we can select between V1 and V2 or V2 only.

14
00:00:34,470 --> 00:00:37,231
‫And it turns out that if you use Amazon Linux 2,

15
00:00:37,231 --> 00:00:39,630
‫by default, it will be V2 only, okay?

16
00:00:39,630 --> 00:00:41,520
‫And this is what I'm gonna show you after.

17
00:00:41,520 --> 00:00:44,430
‫But if you chose something like Amazon Linux 2,

18
00:00:44,430 --> 00:00:47,490
‫so instead of 2023, use Amazon Linux 2.

19
00:00:47,490 --> 00:00:50,580
‫For example, this one, this is Amazon Linux 2.

20
00:00:50,580 --> 00:00:54,240
‫Then you could, for example, under the metadata version,

21
00:00:54,240 --> 00:00:56,640
‫choose V1 and V2 or V2 only.

22
00:00:56,640 --> 00:00:58,630
‫But right now, I'm going to use

23
00:00:59,790 --> 00:01:04,290
‫the Amazon Linux 2023, the latest one.

24
00:01:04,290 --> 00:01:05,430
‫And from this point onwards,

25
00:01:05,430 --> 00:01:08,367
‫you have to use the DB IAM V2,

26
00:01:08,367 --> 00:01:10,350
‫and I will show you this in a moment.

27
00:01:10,350 --> 00:01:13,260
‫So we can proceed without a key pair.

28
00:01:13,260 --> 00:01:15,000
‫And in terms of security group,

29
00:01:15,000 --> 00:01:16,830
‫we can just create a new security group

30
00:01:16,830 --> 00:01:20,940
‫that allows SSH from anywhere and there will be enough.

31
00:01:20,940 --> 00:01:24,510
‫Then we scroll down, and for IAM instance profile,

32
00:01:24,510 --> 00:01:26,520
‫for now I will not select anything

33
00:01:26,520 --> 00:01:29,430
‫but later I will select whatever profile is available for me

34
00:01:29,430 --> 00:01:31,560
‫just to show you how it's being accessed

35
00:01:31,560 --> 00:01:33,390
‫using the metadata service.

36
00:01:33,390 --> 00:01:37,320
‫So again, we are not going to specify a metadata version,

37
00:01:37,320 --> 00:01:40,140
‫but I will show you that it's V2 only in a second.

38
00:01:40,140 --> 00:01:41,190
‫Okay so this is enough.

39
00:01:41,190 --> 00:01:43,440
‫We're going to launch our instance,

40
00:01:43,440 --> 00:01:46,050
‫and then we're going to issue commands within

41
00:01:46,050 --> 00:01:50,760
‫our instance using V EC2 Instance Connect service.

42
00:01:50,760 --> 00:01:55,500
‫So now let's connect to our instance using EC2 Connect.

43
00:01:55,500 --> 00:01:57,180
‫And here we go.

44
00:01:57,180 --> 00:02:01,620
‫So we are inside and we want to query the metadata service.

45
00:02:01,620 --> 00:02:05,203
‫So I'm going to type IMDS V1 on Google,

46
00:02:05,203 --> 00:02:08,940
‫and then I'm going to just have a look at this.

47
00:02:08,940 --> 00:02:10,500
‫So this is documentation,

48
00:02:10,500 --> 00:02:14,280
‫because the commands can be quite complicated.

49
00:02:14,280 --> 00:02:15,720
‫So if we look at the commands,

50
00:02:15,720 --> 00:02:18,305
‫this is the URL we have to request, okay?

51
00:02:18,305 --> 00:02:22,016
‫So first we have to issue this command,

52
00:02:22,016 --> 00:02:25,590
‫and then we have to issue the second command.

53
00:02:25,590 --> 00:02:26,940
‫But this is IMDS V2.

54
00:02:26,940 --> 00:02:28,980
‫First I wanna show you that IMDS V1 does not work.

55
00:02:28,980 --> 00:02:32,216
‫So I'm going to click on retrieve instance metadata,

56
00:02:32,216 --> 00:02:34,746
‫which is just going to give me the URL

57
00:02:34,746 --> 00:02:39,240
‫for the instance metadata when we're using IMDS V1.

58
00:02:39,240 --> 00:02:41,010
‫So in EC2 Instance Connect,

59
00:02:41,010 --> 00:02:44,250
‫I'm just going to type curl and then this URL.

60
00:02:44,250 --> 00:02:48,510
‫And as a result of this, we get a 401 unauthorized.

61
00:02:48,510 --> 00:02:50,880
‫That means that we cannot access this URL.

62
00:02:50,880 --> 00:02:53,460
‫This would work if you're using Amazon Linux 2 for example

63
00:02:53,460 --> 00:02:55,470
‫and you've enabled IMDS V1.

64
00:02:55,470 --> 00:02:59,670
‫But you can see on Amazon Linux 2023, this does not work.

65
00:02:59,670 --> 00:03:01,260
‫So we need to address this of course,

66
00:03:01,260 --> 00:03:04,050
‫and to do so, we're going to use IMDS V2.

67
00:03:04,050 --> 00:03:05,730
‫So before being able to query this URL,

68
00:03:05,730 --> 00:03:07,800
‫we need to retrieve a token.

69
00:03:07,800 --> 00:03:10,050
‫So this is what this command is showing you right now.

70
00:03:10,050 --> 00:03:12,090
‫So we'll take all the command right here

71
00:03:12,090 --> 00:03:15,350
‫from token equals and paste this in.

72
00:03:15,350 --> 00:03:18,858
‫And so this token is querying this URL

73
00:03:18,858 --> 00:03:21,293
‫called the latest API token

74
00:03:21,293 --> 00:03:25,020
‫passes in the header for the token aspiration.

75
00:03:25,020 --> 00:03:29,040
‫So now this is done, and if we do echo dollar token,

76
00:03:29,040 --> 00:03:30,960
‫then this is the token that was retrieved

77
00:03:30,960 --> 00:03:33,892
‫from this first call, this first HTTP call.

78
00:03:33,892 --> 00:03:36,810
‫So now that we have this, I'm going to clear my screen.

79
00:03:36,810 --> 00:03:40,286
‫We can issue a command against the metadata service

80
00:03:40,286 --> 00:03:44,370
‫bypassing the token as a header to the curl.

81
00:03:44,370 --> 00:03:48,510
‫So we are again going to go into here, press enter,

82
00:03:48,510 --> 00:03:50,340
‫and as you can see, things are working.

83
00:03:50,340 --> 00:03:51,930
‫Now we don't get unauthorized.

84
00:03:51,930 --> 00:03:54,660
‫So we are gonna remove this minus V option

85
00:03:54,660 --> 00:03:58,140
‫just to get a cleaner output.

86
00:03:58,140 --> 00:04:01,533
‫So we remove our minus V, oh, and I need a space.

87
00:04:03,600 --> 00:04:04,920
‫So here we go.

88
00:04:04,920 --> 00:04:07,350
‫Okay and we see that when we query this URL,

89
00:04:07,350 --> 00:04:09,690
‫passing in the token that we had from before,

90
00:04:09,690 --> 00:04:13,470
‫then we get access to all these bits of information.

91
00:04:13,470 --> 00:04:15,810
‫So whenever you have a trailing slash,

92
00:04:15,810 --> 00:04:17,670
‫that means it's like I call it a directory.

93
00:04:17,670 --> 00:04:19,530
‫That means there is more data within,

94
00:04:19,530 --> 00:04:21,990
‫but when there is no trailing slash it's a value.

95
00:04:21,990 --> 00:04:24,450
‫For example, if you wanted to retrieve the host name

96
00:04:24,450 --> 00:04:27,500
‫of this instance, just type in host name

97
00:04:27,500 --> 00:04:30,720
‫at the end of the URL call,

98
00:04:30,720 --> 00:04:33,870
‫and then we get the host name from the EC2 instance.

99
00:04:33,870 --> 00:04:36,060
‫As you can see, this is how the EC2 instance

100
00:04:36,060 --> 00:04:38,996
‫knows about its own host name.

101
00:04:38,996 --> 00:04:40,530
‫We can have another one.

102
00:04:40,530 --> 00:04:45,120
‫We can have, for example, local IPV4

103
00:04:45,120 --> 00:04:46,350
‫I believe and here we go.

104
00:04:46,350 --> 00:04:47,970
‫We have the local IPV4.

105
00:04:47,970 --> 00:04:49,620
‫So lots of different options.

106
00:04:49,620 --> 00:04:51,000
‫You can definitely try it out.

107
00:04:51,000 --> 00:04:53,100
‫And again, by having a trailing slash

108
00:04:53,100 --> 00:04:55,530
‫you have all the information.

109
00:04:55,530 --> 00:04:58,740
‫So now how does it work for when the EC2 instance

110
00:04:58,740 --> 00:05:01,671
‫is an IAM role and wants to obtain the credentials

111
00:05:01,671 --> 00:05:03,570
‫to use that role?

112
00:05:03,570 --> 00:05:08,070
‫Well, it turns out that if you go into identity credentials,

113
00:05:08,070 --> 00:05:09,630
‫then we're gonna find some stuff.

114
00:05:09,630 --> 00:05:12,810
‫So identity minus credentials,

115
00:05:12,810 --> 00:05:15,870
‫and then we add a trailing slash always.

116
00:05:15,870 --> 00:05:18,150
‫As we can see right now we have EC2,

117
00:05:18,150 --> 00:05:21,120
‫we go in and then we have info and security credentials.

118
00:05:21,120 --> 00:05:23,940
‫So we'll go into info first,

119
00:05:23,940 --> 00:05:25,860
‫and we say, okay there's a success.

120
00:05:25,860 --> 00:05:27,090
‫So it's not what we need.

121
00:05:27,090 --> 00:05:32,090
‫Let's go into the other one called security credentials.

122
00:05:34,410 --> 00:05:36,360
‫And here we get a not found.

123
00:05:36,360 --> 00:05:37,920
‫So that means that currently we don't have any

124
00:05:37,920 --> 00:05:39,720
‫security credentials attached to our instance.

125
00:05:39,720 --> 00:05:42,420
‫And that makes sense because we don't have an IAM role

126
00:05:42,420 --> 00:05:43,800
‫attached to our instance.

127
00:05:43,800 --> 00:05:46,248
‫What we can do is that we can click on our instance

128
00:05:46,248 --> 00:05:49,397
‫and then we're going to go under security

129
00:05:49,397 --> 00:05:52,110
‫and we're going to give it an IAM role.

130
00:05:52,110 --> 00:05:55,563
‫So to do so, we'll do action, security,

131
00:05:56,400 --> 00:05:58,290
‫and then modify IAM role.

132
00:05:58,290 --> 00:06:00,090
‫And we'll give it whatever role you want,

133
00:06:00,090 --> 00:06:01,860
‫really have tons of roles created for this course,

134
00:06:01,860 --> 00:06:03,750
‫but choose whatever role.

135
00:06:03,750 --> 00:06:05,430
‫This doesn't really matter.

136
00:06:05,430 --> 00:06:08,670
‫The idea is that you attach a role to your EC2 instance

137
00:06:08,670 --> 00:06:11,430
‫and then we're going to wait about 30 seconds.

138
00:06:11,430 --> 00:06:14,452
‫So now let's issue the command again, press enter.

139
00:06:14,452 --> 00:06:15,750
‫Oh, I get a not found,

140
00:06:15,750 --> 00:06:16,583
‫but the reason I do is

141
00:06:16,583 --> 00:06:18,630
‫because I'm missing a trailing slash.

142
00:06:18,630 --> 00:06:20,280
‫So make sure you are adding trailing slash

143
00:06:20,280 --> 00:06:22,770
‫and make sure you don't make any typos as well.

144
00:06:22,770 --> 00:06:24,240
‫So just press enter.

145
00:06:24,240 --> 00:06:26,730
‫And now we have the EC2 instance.

146
00:06:26,730 --> 00:06:29,313
‫So we're going to add slash EC2 instance,

147
00:06:30,300 --> 00:06:32,130
‫and then we'll be good to go.

148
00:06:32,130 --> 00:06:34,110
‫And as we can see, so it's a long URL,

149
00:06:34,110 --> 00:06:36,870
‫we had slash metadata, slash identity credential,

150
00:06:36,870 --> 00:06:40,830
‫slash EC2 slash security credential slash EC2 instance.

151
00:06:40,830 --> 00:06:43,337
‫But out of it, we get this JSON,

152
00:06:43,337 --> 00:06:46,470
‫and what we get out of it is an access key ID,

153
00:06:46,470 --> 00:06:48,667
‫a secret access key and a token

154
00:06:48,667 --> 00:06:50,760
‫and an expiration date, which said

155
00:06:50,760 --> 00:06:54,660
‫that this role expires in the next whatever, 24 hours maybe.

156
00:06:54,660 --> 00:06:56,700
‫So here we have the,

157
00:06:56,700 --> 00:06:58,980
‫and it's probably more like one hour than 24 hours.

158
00:06:58,980 --> 00:07:02,040
‫Anyways so here, this is how the EC2 instance

159
00:07:02,040 --> 00:07:04,590
‫obtains the credentials that allows it

160
00:07:04,590 --> 00:07:06,033
‫to use its own IAM role

161
00:07:06,033 --> 00:07:08,112
‫because the IAM role provides credentials

162
00:07:08,112 --> 00:07:11,610
‫through the EC2 instance metadata service.

163
00:07:11,610 --> 00:07:12,443
‫So that's it.

164
00:07:12,443 --> 00:07:13,710
‫Not something you have to do anything with

165
00:07:13,710 --> 00:07:17,355
‫because the EC2 instance and the AWS, CLI,

166
00:07:17,355 --> 00:07:20,550
‫and SDK are smart enough to do things behind the scene,

167
00:07:20,550 --> 00:07:22,470
‫so that you don't have to worry about these things.

168
00:07:22,470 --> 00:07:24,519
‫But I want to show you how the behind the scenes work

169
00:07:24,519 --> 00:07:26,730
‫and the value that the metadata service

170
00:07:26,730 --> 00:07:28,410
‫was providing to EC2.

171
00:07:28,410 --> 00:07:29,600
‫So that's it for this lecture.

172
00:07:29,600 --> 00:07:30,433
‫When you're ready,

173
00:07:30,433 --> 00:07:33,051
‫you can just take this EC2 instance and terminate it.

174
00:07:33,051 --> 00:07:35,763
‫All right, I will see you in the next lecture.