I am trying to attach an IAM role to multiple EC2 instances based on tags. Is there a module already available which I can use. I have been searching for a bit but couldn't find anything specific.
Attaching an IAM role to existing EC2 instances is a relatively new feature (announced in Feb 2017). There is no support for that in Ansible currently. If you AWS CLI 1.11.46 or higher installed, then you can use shell module to invoke the AWS CLI and achieve desired result.
See: New! Attach an AWS IAM Role to an Existing Amazon EC2 Instance by Using the AWS CLI
I submitted a PR last year to add 2 AWS modules : boto3 and boto3_wait.
These 2 modules allow you to interact with AWS API using boto3.
For instance, you could attach a role to an existing EC2 instance by calling associate_iam_instance_profile method on EC2 service :
- name: Attach role MyRole
boto3:
service: ec2
region: us-east-1
operation: associate_iam_instance_profile
parameters:
IamInstanceProfile:
Name: MyRole
InstanceId: i-xxxxxxxxxx
Feel free to give the PR a thumbs-up if you like it! ;)
In addition to this, you can use AWS dynamic inventory to target instances by tag.
Related
I have an Amazon EKS Cluster in which I am deploying ExternalSecrets. I do the deployment of our cluster using IaC (Terraform). Now I want to be able to use
this methodology to allow my new service pods to assume any AWS role for my AWS account and pull the Secrets. I create IAM Roles in terraform files using kube2iam. Any help how I can achieve this? I have added the doc to this as well. Documentation
I'm trying to use AWS cli commands inside the container.
I have given policy within ECS cluster instance but it seems the container comes up with error as it tries to call AWS CLI command inside the container as an entrypoint when it boots and fails.
My IAM role with Instance Profile allows to do KMS get and decrypt which is what I need for the AWS CLI operations
Is there a way to pass credentials like instance profile inside ECS task container?
To pass a role to your caontainer(s) in a task you can use IAM Roles for Tasks:
With IAM roles for Amazon ECS tasks, you can specify an IAM role that can be used by the containers in a task. Applications must sign their AWS API requests with AWS credentials, and this feature provides a strategy for managing credentials for your applications to use, similar to the way that Amazon EC2 instance profiles provide credentials to EC2 instances.
What is the suggested way to pass IAM role to a Docker container on EC2?
I have a mlflow project running in a docker environment on EC2.
The python code needs to read and write from S3.
The following is the error (sometimes other types of error also indicating no s3 access from the container, for example s3 resourece not found error)
botocore.exceptions.ProfileNotFound: The config profile (xxx) could not be found
To solve the s3 access issue, I already created an IAM role that allows access to the bucket.
What are the best ways to give this role to the Docker container?
Is it possible to define the role name in Dockerfile?
Thanks
If you are using ECS to run containers on your EC2 instances you can set the taskRoleArn in the Task Definition. If you are running docker on EC2 without ECS you could give the instance the role and use --net host and the container should use the ec2 instance's role.
I'm using docker on EC2 and I just created an Instance Profile.
If you use Console:
Instances -> CHOOSE YOUR INSTANCE -> Actions -> Instance Settings -> Attach/Replace IAM Role
If you use CloudFormation:
EC2Instance:
Type: AWS::EC2::Instance
Properties:
IamInstanceProfile: !Ref EC2InstanceIAMInstanceProfile
...
How we can restrict an IAM User to launch EC2 Instance and VPC via Cloudformation only. I don't want user to launch the EC2 instance and VPC directly by console.
Two options:
Use a role with AWS CloudFormation
When launching a CloudFormation stack, a role can be specified. This role can have the necessary permissions to launch the stack, even if the user doesn't have it.
See: AWS CloudFormation Service Role - AWS CloudFormation
Use AWS Service Catalog
AWS Service Catalog allows you to create a portfolio of offerings that users can launch. It uses a role to launch services even if the user themselves doesn't have permission to launch the services themselves.
See: AWS Service Catalog Documentation
I would like to add an IAM Role to an existing EC2 instance in AWS. I tried using AWS CLI. However, I could not find a way to do that.
As of AWS CLI v1.11.46, which was released just yesterday (see the CHANGELOG file on GitHub), you can now attach an IAM role to an existing EC2 instance that was originally launched without an IAM role using the associate-iam-instance-profile command.
You can also replace the currently attached IAM role for a running instance using replace-iam-instance-profile-association.
For more details, see the following article on AWS Security Blog:
Attach an AWS IAM Role to an Existing Amazon EC2 Instance by Using the AWS CLI.
UPDATE
As of Feb 22, 2017, you can attach/replace an IAM role to an existing EC2 instance from the EC2 console as well. See this blog post for more details.
if you are getting "The association is not the active association" error when trying to attach a role to a existing EC2 instance then you should:
1. detach the existing role from the existing EC2 instance.
2. attach a new role to the existing EC2 instance.
once you do that, you will be able to attach a role to an existing EC2 instance.
The Roles must be assigned when an instance is first launched.
It is not possible to assign the Role after the launched.
I would recommend launching a new instance via the Launch More Like This console command. Please note this will create a new boot disk based on the same AMI, so any data you've saved will not be copied across. If you wish to save the data, you will need to create an AMI from the instance and launch the new instance from that AMI.
Update Feb 2017: It is now possible to add an IAM Role to an existing instance. This can be done via the AWS Command-Line Interface (CLI). Use the replace-iam-instance-profile-association command.
Well that's the harsh truth as of now. You can't associate an IAM role to an existing instance. I came to know that when I was trying System Server Manager service which required your EC2 instance to coomunicate with ssm api.
I think we have to wait some more time.
This feature was added Feb 9 2017. Note: the thing you are looking for is called an "Instance Profile". The policy describes the rights. That policy then gets added to a role and/or instance profile. I don't see any notes about specifically how to do it so I'll add as an answer.
Source document here
Specific instructions are below to conform with StackOverflow guidelines regarding link rot.
1) Create role
aws iam create-role --role-name YourNewRole --assume-role-policy-document file://YourNewRole-Trust-Policy.json
2) Attach policy to role
aws iam attach-role-policy --role-name YourNewRole --policy-arn arn:aws:iam::aws:policy/AmazonS3ReadOnlyAccess
3) Create instance profile (this is what a role is called when attached to an instance)
aws iam create-instance-profile --instance-profile-name YourNewRole-Instance-Profile
4) Add role to instance profile
aws iam add-role-to-instance-profile --role-name YourNewRole --instance-profile-name YourNewRole-Instance-Profile
5) Attach instance profile to ec2 instance
aws ec2 associate-iam-instance-profile --instance-id YourInstanceId --iam-instance-profile Name=YourNewRole-Instance-Profile