How to use boto3 inside an EC2 instance

Question

I have a python app running in a Docker container on a EC2 instance managed by ECS (well, that's what I would like...). However, to use services like SSM with boto3, I need to know the region where the instance is running. I dont need any credentials as I use a role for the instance which grants access to the service, so a default Session is ok.

I know that it is possible to fetch the region with a curl to get the dynamic metadata, but is there any more elegant way to instantiate a client with a region name (of credentials) inside an EC2 instance ?

I ran through the boto3 documentation and found

Note that if you've launched an EC2 instance with an IAM role configured, there's no explicit configuration you need to set in boto3 to use these credentials. Boto3 will automatically use IAM role credentials if it does not find credentials in any of the other places listed above.

So why do I need to pass the region name for SSM client for example ? Is there a workaround ?

Region in AWS is for a Service Client to invoke. – smac2020 May 06 '21 at 20:23 — smac2020, May 06 '21 at 20:23

score 3 · Answer 1 · answered Jun 10 '20 at 20:35

3

Region is a required parameter for the SSM client to know which region it should be interacting with. It does not try to assume even if you’re in the AWS cloud.

If you want it to assume in your container the simplest way in which to implement is to use the AWS environment variables.

In your container definition specify the environment attribute specify a variable with name AWS_DEFAULT_REGION and the value of your current region.

By doing this you will not have to specify a region in the SDK within the container.

This example uses the environment attribute for more information.

answered Jun 10 '20 at 20:35

Chris Williams

32,215
4
30
68

thanks, I know that, but in Java SDK the region is fetched from metadata, why not with boto3 https://github.com/boto/boto3/issues/375 – GuillaumeA Jun 10 '20 at 20:50
I guess all you can do, is what you’ve done (add issue to github). This will be because different SDKs are written by different developers so features will differ sadly. – Chris Williams Jun 10 '20 at 20:53

score 0 · Answer 2 · answered May 06 '21 at 19:42

Here is how to retrieve a parameter from the Parameter Store using the instance profile credentials:

#!/usr/bin/env python3

from ec2_metadata import ec2_metadata
import boto3

session = boto3.Session(region_name=ec2_metadata.region)
ssm = session.client('ssm')
parameter = ssm.get_parameter(Name='/path/to/a/parameter', WithDecryption=True)
print(parameter['Parameter']['Value'])

Replace the client section with the service of your choice and you should be set.

How to use boto3 inside an EC2 instance

2 Answers2