While working on a project involving Amazon Web Services, I ran across the concept of being able to use temporary credentials with AWS’s Command Line Interface (awscli) tool. When using the awscli tool, it is necessary to provide authentication credentials so that the aws tool is able to authorize its actions with AWS. When running the awscli tool on an EC 2 instance, AWS has provided a way to get temporary authentication credentials on demand, through the use of IAM roles.
In my research on the topic, I found a lot of posts showing how to use temporary credentials, but not a lot of information on how to set up the needed IAM roles. After some additional research, in addition to trial and error, I was able to figure out the IAM role setup process. For more details, see below the jump.
Creating an IAM Role
1. Log into the AWS console
2. Select IAM, under Security, Identity & Compliance
3. In the IAM window, select Roles.
4. In the Roles window, click on the Create New Role button.
5. To enable a role for EC2 instances, click the Select button for Amazon EC2.
6. Locate a policy that does what is wanted (the list will include Amazon-provided policies, as well as giving access to ones written by your customer account.) In this case, I want to find policies that give me full rights to Amazon S3 buckets.
7. Once the policy is located, check the box for the policy then click the Next Step button.
8. Name the role and put in a description of what the role is supposed to do. Once finished, click the Create Role button.
9. The newly-created role should now appear in the list of available roles.
Associate IAM Roles with EC2 instances
To associate a role with an EC2 instance at the time of the instances’ creation, select the role from the IAM role section of the Configure Instance Details window.
To add a role to an already-running instance, use the following procedure:
1. Select the instance in question
2. Click on the Actions button, then select Instance Settings: Attach/Replace IAM Role
3. Select the role you want to associate with the instance, then click the Apply button.
4. If the role applies successfully, a success message should appear. Click the Close button.
5. The role should appear associated with the EC 2 instance.
Using IAM roles for temporary credentials
Once an EC2 instance has been associated with a role, it should now be able to access temporary authentication credentials for use with the awscli tool and other applications which can use AWS credentials. These temporary credentials will allow the awscli tool to automatically request credentials from AWS for tasks that the role’s policy or policies allow access to.
For tools which cannot get automatic access to AWS credentials, it is possible to retrieve credentials from AWS using the curl command. In order to get the credentials, you will first need to identify the name of the role associated with the EC2 instance. This can be done by running the following command from inside the EC2 instance:
curl http://169.254.169.254/latest/meta-data/iam/security-credentials/
Once the role name is available, you can reference it in the following command:
curl http://169.254.169.254/latest/meta-data/iam/security-credentials/role_name_goes_here
This will pull the credentials from AWS and display them.
The usual credentials that are needed by tools are the AccessKeyID and SecretAccessKey values. The date and time of the credentials’ expiration are also listed.
The AccessKeyID and SecretAccessKey values can be extracted by themselves by using the following commands:
AccessKeyID:
curl http://169.254.169.254/latest/meta-data/iam/security-credentials/role_name_goes_here | awk '/AccessKeyId/ {print $3}' | sed 's/[^0-9A-Z]*//g'
SecretAccessKey:
curl http://169.254.169.254/latest/meta-data/iam/security-credentials/role_name_goes_here | awk '/SecretAccessKey/ {print $3}' | sed 's/[^0-9A-Za-z/+=]*//g'
