Run CLI command from an Instance without the security keys

Home»AWS Support Community Forum»Run CLI command from an Instance without the security keys

Run CLI command from an Instance without the security keys
Reply

Ron Hoffman

I have an EC2 instance and I want to run AWS CLI commands to take snapshots or connect with S3 but I don’t want to store my access keys and secret access keys or any other security credential on the instance.

Can I do this without using Access keys and Secret Access Keys ?

This discussion contains 4 replies and has 118 views.

Replies
Reply

Taral Shah

You’ll need to create roles in IAM, and manage permissions to control which operations should be performed by the AWS service or resources. In this case, the AWS resource would assume the IAM role  or IAM Role would work on behalf of the AWS user and perform the activity.

The advantage of the IAM role is that the user needs to launch an instance with IAM role and then he can run all EC2 CLI commands or connect with other AWS resources without AWS credentials, provided the Role has access to all these resources.

Reply

maxs

@Taral -

Keep in mind that the IAM role has to be used with some resource or entity like EC2 instances, Auto Scaling, Cloudformation, VPC, Spot, or reserved instances. Consider this guide on how to automate EBS Volume Snapshots: http://phpstack-1446756-5421145.cloudwaysapps.com/how-to-automated-ebs-volume-snapshot/ - Here the user can run snapshot commands without using AWS credentials if the EC2 instance is launched with the IAM Role.

Reply

Larry W

on Amazon site - ”IAM roles allow you to delegate access to users or services that normally don’t have access to your organization’s AWS resources. IAM users or AWS services can assume a role to obtain temporary security credentials that can be used to make AWS API calls. Consequently, you don’t have to”. AWS explains IAM Roles on their site. Maybe this will help to clarify. - http://docs.aws.amazon.com/IAM/latest/UserGuide/WorkingWithRoles.html

Reply

Aldrin Leal

Two things:

1. Note that AWS Elastic Beanstalk does *NOT* support IAM Roles yet

2. When IAM Roles arent cut it, consider STS instead - Specially for Mobile Clients

AWS provides a great insight on how to pick using the “AWS Hotel” Case: See http://aws.typepad.com/aws/2011/08/aws-identity-and-access-management-now-with-identity-federation.html for the original concept and http://aws.typepad.com/aws/2021/06/iam-roles-for-ec2-instances-simplified-secure-access-to-aws-service-apis-from-ec2.html for an update concerning IAM Instance Roles

 

You must be logged in to reply to this topic.