-1

I'm trying to find a way of listing/describing the public IP (doesn't have to be an EIP) of an EC2 instance. I've read about Describe* and I'm aware of the limitation of not being able to specify the resource in the policy.

So my question is:

While specifying the resource in the policy, is there any way for me to get the public IP of an EC2 instance? Is there any commands that can be used in awscli that would return the public IP while running under a user/group that would allow this action only within a specified resource?

I basically want to apply a policy that gives the user/group permission to get the IP only from a specified EC2 instance ID.

Thank you!

t988GF
  • 101
  • 2
  • An ec2 instance can look up it's own public IP without any IAM permissions via instance metadata. – jordanm Apr 15 '17 at 01:59
  • Care to add more info? How can you retrieve it, for example? – t988GF Apr 15 '17 at 07:07
  • `curl http://169.254.169.254/latest/meta-data/public-ipv4`. http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-metadata.html – jordanm Apr 15 '17 at 17:33
  • Thank you, that's very useful. Since I'm starting an EC2 instance from a script, I don't believe I can get to that page without querying the instance ID, though. Since I don't have an EIP on the instance and the IP changes every time it boots, even though interesting to know, I don't believe I can use it in a script (I didn't mention the script part in my question though). TY! – t988GF Apr 15 '17 at 21:16

2 Answers2

1

The only command that can get an EC2 instance's public IP address is the following:

aws ec2 describe-instances \
  --region us-east-1 \
  --instance-ids i-abcdef

Unfortunately, there is no IAM policy syntax capable of restricting the command to only a single EC2 instance. describe-instances does not allow resource-level permissions. So to give access to this command requires giving access for all EC2 instances.

Matt Houser
  • 9,709
  • 1
  • 26
  • 25
  • Thanks Matt. I'm accepting this as the answer, but I'm still surprised that no one in AWS thought about the need to get an IP from an instance without allowing to get an IP from ALL instances. Is my case so "extreme" or out of the ordinary? Weird. Nevertheless, thank you for your help. – t988GF Apr 12 '17 at 22:07
0

You can use this to get the Public IP

aws ec2 describe-instances --instance-ids i-the-instance-id-here | grep PublicIpAddress | awk -F ":" '{print $2}' | sed 's/[",]//g'

And you can grant your AWS CLI user AmazonEC2ContainerRegistryReadOnly access.

jarvis
  • 1,956
  • 4
  • 17
  • 31
  • Should that be describe-instanceS? Also, I can't find the AmazonEC2ContainerRegistryReadOnly action. My policy currently allows for ec2:DescribeInstances and ec2:StopInstances and ec2:StartInstances, both limited to the resource of the instance ID. However, as per http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ExamplePolicies_EC2.html#iam-example-instances, I can't define a resource with describe-instances: "The * wildcard is also necessary in cases where the API action does not support resource-level permissions." Or am I reading it wrong? Thanks! – t988GF Apr 12 '17 at 12:19
  • Yes, that is describe-instances. My mistake on the syntax. I've corrected it. Hope this link helps: http://docs.aws.amazon.com/AmazonECR/latest/userguide/ecr_managed_policies.html – jarvis Apr 12 '17 at 13:35
  • Under "My Security Credentials", you can update the permission of the User. – jarvis Apr 12 '17 at 13:37
  • I don't think you are understanding my point. I'm using an IAM policy, and describe-instances doesn't allow resource level limiting. – t988GF Apr 12 '17 at 13:43