Aws ec2 iam role
When accessing various service APIs of aws, authentication must be performed first. There are the following situations.
1. Access via aws console web interface
Username, Password, MFA (optional)
2.aws cli
It needs to be configured in the credentials file in the ~/.aws directory
aws_access_key_id
aws_secret_access_key
3.develop sdk
Environment variables, configuration files, and the credentials file in the ~/.aws directory can be configured
aws_access_key_id
aws_secret_access_key
It can be seen that in addition to the console, in other cases, credentials need to be provided.
The credential mentioned above is created after logging in to the aws console interface through iam user. The permissions of credential are the same as those of iam user. Imagine, if the credential information of the root user is exploited, he can do anything. So, aws suggests
Don't generate the root user's credential, ie aws_access_key_id and aws_secret_access_key, but
Create other iam users, obtain credentials through iam users, and then distribute them to other people, programs or tools.
Although the credential of iam user is used, if it is stolen, it will also have serious consequences. So, for
For applications running on ec2, if the credential is configured somewhere on ec2 (environment variables, configuration files),
There are still big security risks, and if the credential changes later, it will also increase the cost of maintenance.
Therefore, for the above security and maintenance reasons, aws ec2 provides a hosting-like way for applications, application
When you need to access the web service api, the internal implementation of the sdk directly obtains a dynamic temporary credential from the ec2 instance, and then uses the obtained credential to initiate an https authentication request. In this way, the application does not need to care about the credential thing. Of course,
The premise is that the IAM role of ec2 needs to be configured.
Creation of IAM role:
Signin aws console -〉My Security Credentials -〉 Roles -〉Create new role -〉Select(Amazon EC2 role type) -〉Attach Policy -〉Next Step -〉Input Role name -〉Create role
When the IAM role is created through the console, an instance profile with the same name is automatically created, and then the ec2 instance is configured
When iam role, the actual choice is this instance profile. In the Attach Policy, you need to select the aws services and resources that the application actually needs to access.
Attach IAM role:
1> You can specify the instance profile when creating an ec2 instance
2> For the ec2 instance in execution, you can also attach the specified instance profile
You can view security-credentials information through ec2 meta-data:
curl http://169.254.169.254/latest/meta-data/iam/security-credentials/role_name
{
"Code" : "Success",
"LastUpdated" : "2012-04-26T16:39:16Z",
"Type" : "AWS-HMAC",
"AccessKeyId" : "xxxx",
"SecretAccessKey" : "yyyy",
"Token" : "token",
"Expiration" : "2017-05-17T15:09:54Z"
}
If the application uses aws sdk, the sdk will automatically do this for us, and then use credentials to request https requests
to sign. In fact, ec2 internally calls sts (AWS Security Token Service) through role name to obtain credentials information. The dynamically acquired credentials have a life cycle, and they expire automatically when they expire. The ec2 instance will automatically acquire new credentials before they expire. The sdk does not need to pay attention to the expiration issue. The ec2 instance will save the valid credentials in meta-data. The sdk only needs to be obtained from meta-data.