Home > Amazon Web Services, Linux > Using IAM roles on Amazon Web Services to generate temporary credentials for EC2 instances

Using IAM roles on Amazon Web Services to generate temporary credentials for EC2 instances

While working on a project involving Amazon Web Services, I ran across the concept of being able to use temporary credentials with AWS’s Command Line Interface (awscli) tool. When using the awscli tool, it is necessary to provide authentication credentials so that the aws tool is able to authorize its actions with AWS. When running the awscli tool on an EC 2 instance, AWS has provided a way to get temporary authentication credentials on demand, through the use of IAM roles.

In my research on the topic, I found a lot of posts showing how to use temporary credentials, but not a lot of information on how to set up the needed IAM roles. After some additional research, in addition to trial and error, I was able to figure out the IAM role setup process. For more details, see below the jump.

Creating an IAM Role

1. Log into the AWS console

2. Select IAM, under Security, Identity & Compliance

Screen Shot 2017 04 26 at 9 28 56 PM

3. In the IAM window, select Roles.

Screen Shot 2017 04 26 at 9 29 34 PM

4. In the Roles window, click on the Create New Role button.

Screen Shot 2017 04 26 at 9 29 43 PM

5. To enable a role for EC2 instances, click the Select button for Amazon EC2.

Screen Shot 2017 04 26 at 9 29 46 PM

6. Locate a policy that does what is wanted (the list will include Amazon-provided policies, as well as giving access to ones written by your customer account.) In this case, I want to find policies that give me full rights to Amazon S3 buckets.

Screen Shot 2017 04 26 at 9 30 03 PM

7. Once the policy is located, check the box for the policy then click the Next Step button.

Screen Shot 2017 04 26 at 9 30 09 PM

Screen Shot 2017 04 26 at 9 30 11 PM

8. Name the role and put in a description of what the role is supposed to do. Once finished, click the Create Role button.

Screen Shot 2017 04 26 at 9 31 02 PM

9. The newly-created role should now appear in the list of available roles.

Screen Shot 2017 04 26 at 9 31 12 PM

Associate IAM Roles with EC2 instances

To associate a role with an EC2 instance at the time of the instances’ creation, select the role from the IAM role section of the Configure Instance Details window.

Screen Shot 2017 04 26 at 9 32 02 PM

Screen Shot 2017 04 26 at 9 32 09 PM

To add a role to an already-running instance, use the following procedure:

1. Select the instance in question

Screen Shot 2017 04 26 at 9 39 25 PM

2. Click on the Actions button, then select Instance Settings: Attach/Replace IAM Role

Screen Shot 2017 04 26 at 9 39 53 PM

3. Select the role you want to associate with the instance, then click the Apply button.

Screen Shot 2017 04 26 at 9 40 08 PM

4. If the role applies successfully, a success message should appear. Click the Close button.

Screen Shot 2017 04 26 at 9 40 13 PM

5. The role should appear associated with the EC 2 instance.

Screen Shot 2017 04 26 at 9 39 38 PM

Using IAM roles for temporary credentials

Once an EC2 instance has been associated with a role, it should now be able to access temporary authentication credentials for use with the awscli tool and other applications which can use AWS credentials. These temporary credentials will allow the awscli tool to automatically request credentials from AWS for tasks that the role’s policy or policies allow access to.

For tools which cannot get automatic access to AWS credentials, it is possible to retrieve credentials from AWS using the curl command. In order to get the credentials, you will first need to identify the name of the role associated with the EC2 instance. This can be done by running the following command from inside the EC2 instance:

curl http://169.254.169.254/latest/meta-data/iam/security-credentials/

Screen Shot 2017 04 26 at 9 55 23 PM

Once the role name is available, you can reference it in the following command:

curl http://169.254.169.254/latest/meta-data/iam/security-credentials/role_name_goes_here

This will pull the credentials from AWS and display them.

Screen Shot 2017 04 26 at 9 56 28 PM

The usual credentials that are needed by tools are the AccessKeyID and SecretAccessKey values. The date and time of the credentials’ expiration are also listed.

Screen Shot 2017 04 26 at 9 56 44 PM

The AccessKeyID and SecretAccessKey values can be extracted by themselves by using the following commands:

AccessKeyID:

curl http://169.254.169.254/latest/meta-data/iam/security-credentials/role_name_goes_here | awk '/AccessKeyId/ {print $3}' | sed 's/[^0-9A-Z]*//g'

Screen Shot 2017 04 26 at 10 00 11 PM

SecretAccessKey:

curl http://169.254.169.254/latest/meta-data/iam/security-credentials/role_name_goes_here | awk '/SecretAccessKey/ {print $3}' | sed 's/[^0-9A-Za-z/+=]*//g'

Screen Shot 2017 04 26 at 10 03 00 PM

Categories: Amazon Web Services, Linux
  1. No comments yet.
  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: