-
Notifications
You must be signed in to change notification settings - Fork 812
Capturing EC2 tags at startup
Alexis Lê-Quôc edited this page Oct 31, 2013
·
3 revisions
Note: This page is only relevant if you run the agent on AWS EC2.
The list of instance tags that can be retrieved using the local metadata interface excludes custom tags set using the EC2 API.
In order to gather all tags including custom tags, the agent has to query the EC2 API. And to do so it needs credentials to sign all its requests. Rather than forcing credentials to be passed at startup time, AWS IAM allows for temporary credentials to be requested by an instance to then make API calls.
- Set in
datadog.confthe IAM role name that the instance was created as, e.g.role. - On startup, if configured to do so, the agent will query the metadata service to get temporary credentials
GET http://169.254.169.254/latest/meta-data/iam/security-credentials/[role] - It will then use the EC2 API
DescribeTags(http://docs.aws.amazon.com/AWSEC2/latest/APIReference/ApiReference-query-DescribeTags.html) to get all the EC2 tags - Last it will merge these tags with the regular instance tags (e.g.
region:us-west-1). - Once the tags are sent,
boto, the python library to query the EC2 API is unloaded until the next time it is needed (assuming tags are sent on a regular basis).
-
boto, bundled with the agent and deployed to/usr/share/datadog/agent - Configuration entries in
datadog.confto specify the IAM role to query to retrieve temporary credentials