Getting EC2 instance tags from within the instance

tags.py

import boto3
import requests


def _get_metadata_region():
    r = requests.get(
        'http://169.254.169.254/latest/dynamic/instance-identity/document')

    return r.json()['region']


def _get_instance_id():
    r = requests.get('http://169.254.169.254/latest/meta-data/instance-id')
    return r.text


def get_instance_tags():
    client = boto3.client('ec2', region_name=_get_metadata_region())
    response = client.describe_tags(
        Filters=[
            {
                'Name': 'resource-id',
                'Values': [
                    _get_instance_id(),
                ]
            },
        ],
    )
    print(response['Tags'])


get_instance_tags()

@kesor Can you share a CLI command where that policy works? When I try aws ec2 describe-tags --filters Name=resource-id,Values=<instance id> I still get permission denied.

@aidansteele The condition does not restrict which instances you can query, it restricts who can query. With the condition above, only the instance itself, when it is using an IAM role can query for ec2:DescribeTags (for all instances in the region).

placeholder ${ec2:SourceInstanceARN} will be replaced by any instance to which instance-profile will be attached. This means each instance with proper instance-profile can query. Obviously if you do not what to allow to other instances ec2:DescribeTags permission just do not attach instance profile to them.

@kesor No, you can not restrict that action in an IAM policy...

FYI: don't lose time trying to do this.