Understanding IAM roles

A role is a set of permissions that grants access to AWS resources. Roles are not associated with any user or group but instead are assumed by a trusted entity which can be an IAM user, application ,or AWS service such as EC2. The difference between an IAM user and a role is that a role cannot access the AWS resources directly, implying that they do not have any credentials. This property is very useful when the trusted AWS service, such as EC2, assumes a role. There is no need to provide credentials to an EC2 instance. This solves a very important issue—credential distribution and rotation, plus not having the credentials stored as clear text or in an encrypted form.

Since we have already created an IAM role in Chapter 3AWS Components, Cost Models, and Application Development Environments, and assigned it to an EC2 instance, we will not go through it again. While assigning permissions to roles, always remember to assign only the required permissions as per the principle of least privileges (http://en.wikipedia.org/wiki/Principle_of_least_privilege) .

Let's examine how this works when an application running in an EC2 instance uses an AWS-supplied SDK to access an AWS resource. The SDK API transparently fetches the temporary credentials via the instance metadata service which, in turn, requests the temporary credentials from the AWS Security Token Service. Instance metadata is data about your instance that can be used to configure or manage the running instance. If you are not using an AWS SDK, you can still get the temporary credentials by querying the instance metadata. The instance metadata can be queried from the running EC2 instance from the command line by executing the following command:

curl http://169.254.169.254/latest/meta-data/

ami-id
ami-launch-index
ami-manifest-path
block-device-mapping/
hostname
iam/
instance-action
instance-id
instance-type
local-hostname
local-ipv4
mac
metrics/
network/
placement/
profile
public-hostname
public-ipv4
public-keys/
reservation-id
security-groups
For more information on the metadata, please refer to: http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-metadata.html.

To query the temporary security credentials for a role, execute the following from the running EC2 instance command line:

curl http://169.254.169.254/latest/meta-data/iam/security-credentials/ec2Instances

ec2Instaces is the name of the role assigned to your EC2 instance. The response will be a temporary security credential which the AWS SDK uses to access the resource:

{
  "Code" : "Success",
  "LastUpdated" : "2017-11-29T04:55:57Z",
  "Type" : "AWS-HMAC",
  "AccessKeyId" : "ASIAIGOEGNL3UXEPOELA",
  "SecretAccessKey" : "ZDn5onr2FyIrSyI2AQvq+TDRsHxHQsDHJBXSyROe",
  "Token" : "FQoDYXdzELb//////////wEaDJOVGyRHYhX2yN8naiK3A+upsj7qMrkM1A3jXM/TyDMNdOEkkpGGMSnA8IYb4ipwY/9SsWoA71EABjDxskYNbraY55MABvqPzHhforIWnp47Q2XvB7iDLZQh8KXbfuuy4BlWWKtBbrqlLJZee7cL6mXlsjTYYRnRmasabFGDJ+V/HXA9hsQ4FwybdRVhvXVLlgdIUoUV13gxTfUr7GbKyLzVYZZD6K7nFUFwttp34WWA2Y6xKB7inCfmlS9jGyB+73XxoeeeDZAflb6NI6w5JmzOHNqfeBatJUwzJ1ppsP+wGMSkTpsIg/I30DN7TzPTGbbiH76tBJZO7bTfry8IDZVakPVC3Mp4KGJaM6NTDgyqjRnsNsFF9qyXTKiT6GCxRWFzTSis0oDIw95cPZR0OUiXfAurz637ul8FUAtxCMOsyfxsEwp0hkykMvhEgUp3SOt7tPwWTNkaJj7HlPmC9PXlBXNpRtR1x2ju7C6ZBvyNJsviphZofKcSv+MvC1sFHgWK+L+6tEH9NMOqfqvhKwKNxfuZks70Ky59cX3yl+/qgWSEhzov6dREkz5LUbC4xvmCc8TQKaxMrTMo5bardFcwLpRNgV0orfv40AU=",
  "Expiration" : "2017-11-29T11:28:08Z"
}

The temporary credentials are automatically rotated and have an expiry date/time associated with them. The application has to query the instance metadata for the new credentials before the current credential expires. If the AWS SDK is being used within an application, then it manages it transparently and no credential key refresh logic is necessary.

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
18.117.154.89