I have a use case where in I have installed a private instance of webpagetest http://www.webpagetest.org on EC2 . Now I want to enable autoscaling of the webpagetest AMIs . Now for autoscaling the AMI , I need to mention the AWS secret key and access key here in the configuration. https://github.com/WPO-Foundation/webpagetest/blob/master/www/settings/ec2.ini.sample
Now the team that handles AWS in my organization are hesitant to give me the keys.
Is there a work around for problem like this. Can the keys be shared in some other way.
The proper way to do this is to create an IAM role, and assign it to the EC2 instance.
You can't assign a role to an existing instance, so you will have to recreate your instance.
The AWS documentation for this is available here
Related
I have a container running on EC2 which is currently running in a public VPC ( It cannot be changed right now) and, in order for this resource to access DynamoDB, I have created a user, limiting its access to my table in Dynamo and then I created access keys to use in my API calls.
My idea is store these secrets in secret manager and use its SDK from my EC2 to then perform the operations I want to.
However, it just seem like a lot of effort and, creating a specific user just to limit the permissions does not seem right for me.
Am i in the right way? What would be the most interesting approach to access the Dynamo programmatically from my EC2 ?
I have read somewhere that I could grant role permissions so my EC2 could access my Dynamo.
Does that make sense?
Note: I have an ECS working along my EC2
I am new to AWS and used to work a lot with Azure but mostly with serverless applications where I could easily used the Identity Management feature to grant those permissions.
The details were all mentioned above.
I think it would be better to create an instance-profile, define it with the permissions you want for dynamodb, which is pretty much like an iam role and then when you start the instance, use that role. That means, you do not need to store credentials and this is generally the recommended way to access services from an instance over using access keys.
Ref: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_switch-role-ec2_instance-profiles.html
I have done some search and found this article, it matches exactly your case (EC2 + Dynamo DB)
https://awstip.com/using-aws-iam-roles-with-ec2-and-dynamodb-7beb09af31b9
And yes for EC2, the correct approach is to create an IAM role and attach to your instance
Also the following command can be used to retrieve the associated credentials (AWS Key + AWS Secret) that are used by that IAM role
curl http://169.254.169.254/latest/meta-data/iam/security-credentials/<name-of-iam-role>
I've outsourced development work to another company.
ATM they have AWS login details and EC2 instance key pair ( root user )
Once they deliver project, I don't want them to have access to either of AWS and/or EC2, how to achieve the same ?
For AWS I can set 2FA and change password
How about EC2 instance ? Their developer still has key pair with him.
I looked into AWS documentation but didn't understand how to manage permission properly.
I'm new to AWS and EC2, please help with this basic queries
You should not allow any user to access your EC2 instance with root key.
Normal practice:
Ask outsource developer to give his public key
Add his public to EC2 instance in authorized keys
Once the project is done to remove his public key from the ec2 instance.
Best practice in case of AWS:
Register instance in OpsWork stack
Ask user for his public key
Add user in the OpsWork stack as he is already AWS user
He will able to access the instance
So once the project, Delete the user from Ops work and AWS, his access will be revoked. In this case you do not need to change anything on instance side, AWS OpsWork will take care of it.
For AWS I can set 2FA and change password
Better to create IAM user for him, once the project is done delete that user.
My team has some EC2 instances and we all need SSH access to them. These instances were created with one IAM user and the credentials were assigned to that user. We do have the keys but how are you suppose to give SSH access to those instances to several users?
The only way I have managed to accomplish that is by securely sharing those keys but it feels like it's the wrong way to do it. So, what are the best practices regarding the access to EC2 instances to several users?
Take a look at the steps covered in the AWS Docs for managing user accounts on your EC2 instance.
The basic idea here is to add users directly to the instance itself (via sudo adduser).
Once each of your users has an account and SSH key stored locally on the EC2 instance, they should be able to SSH into it as expected.
An option might be to create your EC2 instances as part of an AWS OpsWorks Stack.
AWS OpsWorks is a configuration management service that helps you configure and operate applications in a cloud enterprise by using Puppet or Chef
The advantage of using this is that Opsworks manages SSH key access to instances for multiple users, while allowing each user to manage their own SSH private keys. according to the docs:
For Linux stacks, AWS OpsWorks Stacks provides a simpler and more flexible way to manage SSH key pairs.
Each user registers a personal key pair.
They store the private key locally and register the public key with AWS OpsWorks Stacks, as described in Registering an IAM User's Public SSH Key.
When you set user permissions for a stack, you specify which users should have SSH access to the stack's instances.
AWS OpsWorks Stacks automatically creates a system user on the stack's instances for each authorized user and installs their public key. The user can then use the corresponding private key to log in, as described in Logging In with SSH.
Additionally, if you want to convert your existing setup:
You can also incorporate Linux-based computing resources into a stack that was created outside of AWS OpsWorks Stacks.
Amazon EC2 instances that you created directly by using the Amazon EC2 console, CLI, or API.
I have a scaling group of several EC2 instances.
I have API keys which I would like to distribute to the instances using round-robin.
How can I code the instances to get the credentials once they go live?
Is there an AWS service for that?
It is not AWS credentials which could be solved by defining IAM Roles.
Thanks
Use "user data" option when you start your EC2 instance, You can run the bash script.
I recommend the following step.
1-put your cred or other shared information to S3 or dynamoDB.
2-write script to read and setting this data when your EC2 was starting.
The closest thing AWS has to this is called IAM Roles. A role includes a set of IAM permissions (like an IAM user). When you start a VM, you can set the role of the VM. The VM can then call the AWS API and get temporary credentials that give it access to the services that are defined in the IAM role.
See here for more details:http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-roles-for-amazon-ec2.html
This does not exactly meet your requirement for round-robin credentials distribution. But it might be a better option. IAM roles are as secure a method of distributing credentials to EC2 instances as you can get.
AWS now provides two services that could be used for that purpose:
The Secrets Manager would seem to be the most fitting, but does cost money from the start.
The Parameter Store is also an option and is free for up to 10k parameters.
I am exploring amazon IAM Roles. I want to know how can we apply IAM roles to an ec2 instance to access an application.
Any lead is highly appreciated.
Thanks
You can attach a Role to an Instance to provide this instance with specific permissions to use AWS API.
For example : You deploy a Java application on Tomcat and you want your application to use DynamoDB or S3 ... you need an ACCESS KEY and SECRET KEY with proper permission. How would your application get these ? A configuration file ? Burned into the AMI ? Stored in a database ? ... none of these are secure and manageable at large scale.
This is where Role kicks in.
you define a role in IAM and attach a couple of permission to it.
when you create the instance, you attach the role (you can not do that at a later time !)
from the instance, a private web service will give access to temporary ACCESS KEY and SECRET KEY, limited to the permissions specified in the role.
The best part is that AWS SDK are knowing about that and can dynamically and automatically get the keys for you.
Check out the doc for more details : http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-roles-for-amazon-ec2.html