I am trying to use aws cookbook with iam roles, but when I trying to not include aws_access_key and aws_secret_access_key in the aws_ebs_volume block, the chef keep showing an error: RightAws::AwsError: AWS access keys are required to operate on EC2.
I assume when cookbook mean omit the resource parameters aws_secret_access_key and aws_access_key, I just delete them from the block.
aws_ebs_volume "userhome_volume" do
provider "aws_ebs_volume"
volume_id node['myusers']['usershome_ebs_volid']
availability_zone node['myusers']['usershome_ebs_zone']
device node['myusers']['usershome_ebs_dev_id']
action :attach
end
Does anyone have the example of aws cookbook with iam roles please?
update:
Do I still need to define aws creeds data bag if I have already have proper iam role attached to the instance?
When I use iam role and aws cookbook, what does the was_ebs_volume block look like?
In order to manage AWS components, you need to provide authentication credentials to the nodein one of two ways:
explicitly pass credentials parameter to the resource
or let the resource pick up credentials from the IAM role assigned to the instance
When you provision the instance, you should assign it the appropriate role in "Step 3. Configure Instance Details" (when using the console). The setting "IAM role" for EC2 automatically deploys and rotates AWS credentials for you, eliminating the need to store your AWS access keys with your application. On an instance provisioned this way, you no longer need to include aws_access_key and aws_secret_access_key in the aws_ebs_volume block.
Here are code examples on how to launch an instance with an IAM role using the IAM and Amazon EC2 CLIs:
http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-roles-for-amazon-ec2.html
and here are some code examples:
http://www.getchef.com/blog/2013/12/19/automating-iam-credentials-with-ruby-and-chef/
When you assign the appropriate IAM role during instance provisioning, your code should work without aws_access_key and aws_secret_access_key.
Here are the steps:
Set up your S3, Chef server, and IAM role as described here:
https://securosis.com/blog/using-amazon-iam-roles-to-distribute-security-credentials-for-chef
Execute “knife client ./” to create client.rb and validation.pem, then transfer them from your Chef server into your bucket.
Launch a new instance with the appropriate IAM Role you set up for Chef and your S3 bucket.
Specify your customized cloud-init script in the User Data field or command-line argument as described here:
https://securosis.com/blog/using-cloud-init-and-s3cmd-to-automatically-download-chef-credentials
You can also host the script as a file and load it from a central repository using an include.
Execute chef-client.
Related
I have running app on auto-scaled ec2 env. of account1 created via AWS CDK (it also should have support to be run on multiple regions). During the app execution I need to get object from account2's s3.
One of the ways to get s3 data is use tmp credentials(via sts assume role):
on account1 side create a policy for ec2 instance role to assume sts tmp credentials for s3 object
on account2 side create a policy GetObject access to the s3 object
on account2 site create role and attach point2's policy to it + trust relationship to account1's ec2 role
Pros: no user credentials are required to get access to the data
Cons: after each env update requires manual permission configuration
Another way is to create a user in account2 with permission to get s3 object and put the credentials on account1 side.
Pros: after each env update doesn't require manual permission configuration
Cons: Exposes IAM user's credentials
Is there a better option to eliminate manual permission config and explicit IAM user credentials sharing?
You can add a Bucket Policy on the Amazon S3 bucket in Account 2 that permits access by the IAM Role used by the Amazon EC2 instance in Account 1.
That way, the EC2 instance(s) can access the bucket just like it is in the same Account, without have to assume any roles or users.
Simply set the Principal to be the ARN of the IAM Role used by the EC2 instances.
We currently have 2 AWS accounts that we use. For most of the stuff we want to use the AWS account that our web app is hosted on in an EC2 instance so this works fine:
services.AddDefaultAWSOptions(this.Configuration.GetAWSOptions());
services.AddAWSService<IAmazonSQS>();
services.AddAWSService<IAmazonSimpleSystemsManagement>();
However, I want to access EC2 instances in another AWS account. I've configured it to work locally using credentials and from following this guide (where it mentions about using multiple services): https://docs.aws.amazon.com/sdk-for-net/latest/developer-guide/net-dg-config-netcore.html
services.AddDefaultAWSOptions(this.Configuration.GetAWSOptions());
services.AddAWSService<IAmazonSQS>();
services.AddAWSService<IAmazonSimpleSystemsManagement>();
if (this.WebHostEnvironment.IsDevelopment())
{
// This works fine locally, but I don't want to use credential file in production
var other = this.Configuration.GetAWSOptions("other");
services.AddAWSService<IAmazonEC2>(other);
}
else
{
// How do I register other here without putting a credential file on my ec2 instance?
services.AddAWSService<IAmazonEC2>();
}
I'm not sure how to register IAmazonEC2 to use my other account. I don't want to put a credential file on my instance which is how I get it working locally but it doesn't seem right to me on production servers.
I have configured an IAM role that has access to my other account and given it to my EC2 instance. But how do I translate that IAM role to a profile to use where I am registering IAmazonEC2 above?
Any help appreciated. Thanks
There are really two ways to do it...
Option 1: Use an IAM Role
Let's say that the Amazon EC2 instance is running in Account-A and it now wants to query information about Account-B. You could:
Create an IAM Role in Account-B, with a trust policy that trusts the IAM Role being used by the EC2 instance in Account-A
Your code running on the EC2 instance in Account-A can call AssumeRole() (using the normal credentials from Account-A). This will return a set of temporary credentials.
Use those temporary credentials to make API calls to Account-B
Option 2: Use credentials from Account-B
Alternatively, give your program a set of IAM User credentials from Account-B. These could be stored in AWS Systems Manager Parameter Store - AWS Systems Manager or AWS Secrets Manager, and retrieved by using the normal credentials assigned to the EC2 instance in Account-A.
On my client's AWS account, security credentials are generated everytime we login to their AWS sandbox account. This credentials file is automatically generated and downloaded via a Chrome plugin(SAML to AWS STS Key Conversion).
We then have to place the generated content to the ./aws/credentials file inside an EC2 instance in the same AWS account. This is little inconvenient as we have to update the generated credentials and session_token into the credentials file inside the EC2 instance every time we launch a Terraform script.
Is there any way we can attach any role so that we can just use the EC2 instance without entering the credentials into the credentials file.
Please suggest.
Work out what a reasonable, minimal set of permissions the Terraform script needs to create its AWS resources, then create an IAM role with those permissions, then add that IAM role to the instance (or launch a new instance with the role). Don't have a ~/.aws/credentials file on the instance or it will take precedence over the IAM role-based credentials.
We use CloudFormation to deploy our platform. Is here a way to allow the application instance access to the DynamoDB tables without exposing API credentials?
I read about creating an IAM role that has the right permission and use instance profile. How do I achieve this? can someone please provide more details and explain what instance profile is?
As per AWS IAM documentation, Instance Profile is:
An instance profile is a container for an IAM role that you can use to pass role information to an EC2 instance when the instance starts.
So, this is a feature provided by AWS so that IAM credentials don't have to be stored in EC2 instances to execute AWS APIs. Also, this feature aids in granting only the permission specified in the desired IAM role to the EC2 instance. Also, you can use the same Instance profile on multiple instances. This way, you don't have to update credentials on each EC2 instance whenever you change the credentials. So, while launching the EC2 instance, you can specify the instance profile. The instance profile is attached to an IAM role. The EC2 instance will get the IAM role and all the IAM credentials. You just need to set the AWS region before using the APIs.
How to do it:
1) Create an IAM role using: create-role
2) Create Instance Profile using: create-instance-profile. The output of this step will contain the Arn for the Instance Profile. This needs to be used in step 4.
3) Add role to Instance Profile using: add-role-to-instance-profile
4) Launch instance using run-instances. Specify the --iam-instance-profile option as below:
--iam-instance-profile Arn=instanceArn
The instanceArn is got from step 2.
The same can be achieved using AWS Console. The Screenshot below shows, how you can specify the role during launch of an EC2 instance:
For more details please see Using Instance Profiles and section 'Permissions Required for Using Roles with Amazon EC2' at page 190 of AWS IAM User Guide.
I am mounting an AWS S3 bucket as a filesystem using s3fs-fuse. It requires a file which contains AWS Access Key Id and AWS Secret Access Key.
How do I avoid the access using this file? And instead use AWS IAM roles?
As per Fuse Over Amazon document, you can specify the credentials using 4 methods. If you don't want to use a file, then you can set AWSACCESSKEYID and AWSSECRETACCESSKEY environment variables.
Also, if your goal is to use AWS IAM instance profile, then you need to run your s3fs-fuse from an EC2 instance. In that case, you don't have to set these credential files/environment variables. This is because while creating the instance, if you attach the instance role and policy, the EC2 instance will get the credentials at boot time. Please see the section 'Using Instance Profiles' in page 190 of AWS IAM User Guide
there is an argument -o iam_role=--- which helps you to avoid AccessKey and SecretAccessKey
The Full steps to configure this is given below
https://www.nxtcloud.io/mount-s3-bucket-on-ec2-using-s3fs-and-iam-role/