Skip to content
chris grzegorczyk edited this page Oct 14, 2012 · 2 revisions

Table of Contents

IAM Roles

Roles allow for automatic provisioning of federated tokens for use by instance-hosted applications. Using roles for instances, access keys and control the associated permissions (IAM profile).

Things to know about roles and their use from instances:

  • AWS access keys are automatically made available to running instances.
  • AWS access keys are rotated automatically multiple times a day. Keys are made available at least 5 minutes before the expiration of the previous set.
  • You can assign granular service permissions for applications running on an EC2 instance that make requests to other services in AWS.
  • Roles can be used with all Windows and Linux AMIs.
  • The instance metadata service is used to expose access keys to the instances.
  • Precautions to restrict instance metadata service should be taken on role-based instances which run services that might interact with the metadata service (e.g., HTTP proxies).

Launching an instance with a role

  1. Create roles using the IAM APIs (http://docs.amazonwebservices.com/IAM/latest/UserGuide/CreateRole.html See creating a role)
  2. Launch an instance while specifying the role (http://docs.amazonwebservices.com/AWSEC2/latest/UserGuide/launching-an-instance.html See launching an instance with a role)
  3. Use the metadata service from the instance to obtain the federated credentials (http://docs.amazonwebservices.com/AWSEC2/latest/UserGuide/UsingIAM.html#UsingTemporarySecurityCredentials_EC2 See using temporary security credentials)
```bash $ iam-rolecreate -r s3access -s ec2.amazonaws.com

$ iam-roleaddpolicy -r s3access -e Allow -a s3:\* -c \* -p s3star -o {"Version":"2008-10-17","Statement":[{"Effect":"Allow","Action":["s3:*"],"Resource":["*"]}]}

$ iam-instanceprofilecreate -s s3access -r s3access arn:aws:iam::111111111111:instance-profile/s3access ```

Related Service Interfaces/Operations

  • Impacted services/tools which need to add support are:
    • EUARE
      • Role related operations
      • InstanceProfile related operations
    • STS
      • GetFederatedToken
    • EC2
      • running an instance with a profile
      • using the profile information to populate the instance metadata service credentials periodically
    • euca2ools
      • run-instance support for -p, --iam-profile arn|name
        Type: String
        Default: None
        Example: arn:aws:iam::111111111111:instance-profile/s3access

IAM Operations


STS Operations


EC2 Changes

Instance Metadata Items
iam/info Returns information about the last time the instance profile was updated, including the instance's LastUpdated date, InstanceProfileArn, and InstanceProfileId. 2012-06-01
iam/security-credentials/ Returns the name of the IAM role associated with the instance. 2012-06-01
iam/security-credentials/role-name Where role-name is the name of the IAM role associated with the instance. Returns the temporary security credentials (AccessKeyId, SecretAccessKey, SessionToken, and Expiration) associated with the IAM role. 2012-06-01

euca2ools Changes

  • run-instance support for -p, --iam-profile arn|name
    The IAM instance profile to associate with the launched instance(s). IAM instance profiles enable you to manage permissions for applications running on EC2. This is either the Amazon Resource Name (ARN) of the instance profile (e.g., arn:aws:iam::111111111111:instance-profile/s3access) or the name of the role (e.g., s3access).
Clone this wiki locally