Overview

By default, EC2 instances cannot access their own tags through the Instance Metadata Service (IMDS). This limitation exists for security reasons, but there are situations where your application or scripts running on the instance need to retrieve the instance's tags.

Solution

Prerequisites:

• An EC2 instance running Linux
• Appropriate IAM permissions to modify instance roles
• Basic understanding of AWS IAM roles and policies

Step 1: Configure Your Application to Retrieve Tags

Add the following configuration to your deployment or CI/CD pipeline to install AWS CLI and retrieve instance tags:

- run: 
    name: install aws cli
    command: sudo apt update && sudo apt install -y unzip curl && curl "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" -o "awscliv2.zip" && unzip -q awscliv2.zip && sudo ./aws/install && rm -rf aws awscliv2.zip

- run: 
    name: get ec2 metadata tags
    command: |
      TOKEN=$(curl -X PUT -s "http://169.254.169.254/latest/api/token" -H "X-aws-ec2-metadata-token-ttl-seconds: 21600") && aws ec2 describe-tags --filters "Name=resource-id,Values=$(curl -s -H "X-aws-ec2-metadata-token: $TOKEN" http://169.254.169.254/latest/meta-data/instance-id)" --no-cli-pager

Step 2: Create and Attach an IAM Role

Since the Instance Metadata Service v2 (IMDSv2) blocks direct tag access, you need to create an IAM role with the necessary permissions and attach it to your EC2 instance.

Required IAM Policy:

The role must include permissions to describe EC2 tags. Create a policy with the following permissions:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "ec2:DescribeTags"
            ],
            "Resource": "*"
        }
    ]
}

Attach the Role:

1. Create an IAM role with the above policy
2. Attach the role to your EC2 instance through the AWS Console, CLI, or infrastructure as code tools
3. The instance will now be able to use AWS CLI to retrieve its tags

How It Works

1. Installing AWS CLI on the instance to make API calls to AWS services
2. Retrieving the instance ID using IMDSv2 with a session token for security
3. Calling the EC2 DescribeTags API using the instance's attached IAM role credentials
4. Filtering results to show only tags associated with the current instance

Security Considerations

• Only grant the minimum necessary permissions (ec2:DescribeTags) to follow the principle of least privilege
• Consider restricting the policy further by adding conditions based on your specific use case
• Ensure your instance role is properly configured to prevent unauthorized access

Troubleshooting

Common Issues:

• Permission Denied: Ensure the IAM role has the ec2:DescribeTags permission
• No Role Attached: Verify that an IAM role is attached to your EC2 instance
• Network Connectivity: Ensure the instance can reach AWS API endpoints
• AWS CLI Not Found: Verify AWS CLI installation completed successfully

If you continue to experience issues, check the AWS CloudTrail logs for detailed error information about the API calls.

For detailed information about the DescribeTags API and its parameters, refer to the AWS EC2 API Documentation.

Additional Resources

• How to resolve AWS AssumeRole error
• How to remove legacy AWS integration secrets
• How to authenticate multiple AWS profiles using OIDC