Friday, January 15, 2016

amazon ec2 - How to set up command-line access with limited permissions to EC2?



I added a user "Snapshotter" to my AWS account (via IAM) with permission just to ebs:CreateSnapshot.



On one of my instances I want to have a script that periodically created a snapshot, but without storing on that instance any credentials or certificates that allow more permissive access to the account or to other EC2 commands.



How do I achieve that?




In the IAM I can get the "secret access key" and the "access key ID" for the Snapshotter user, but it appears like the private key and X509 certificates are only for the entire account and hence would entail full access. 



$ ec2-create-snapshot -h
  SYNOPSIS
     ec2addsnap ([ec2-create-snapshot])
     ec2addsnap [GENERAL OPTIONS] -d DESCRIPTION VOLUME
...

  GENERAL OPTIONS


     -K, --private-key KEY
          Specify KEY as the private key to use. Defaults to the value of the
          EC2_PRIVATE_KEY environment variable (if set). Overrides the default.

     -C, --cert CERT
          Specify CERT as the X509 certificate to use. Defaults to the value 
          of the EC2_CERT environment variable (if set). Overrides the default.

Answer




One option is to invoke the ec2-create-snapshot API call using the REST interface instead of the SOAP interface. This lets you use the "access key ID" and "secret access key" instead of the x509 cert/pk.



I have written a command line program named ec2-consistent-snapshot which uses the ec2-create-snapshot REST API.




http://alestic.com/2009/09/ec2-consistent-snapshot




If you don't use any of the command line options that trigger the "consistent" aspect of creating the snapshot, then it is basically the same as the ec2-create-snapshot command line (except that it runs ten times faster).




Here's an article I wrote which has step-by-step instructions for using IAM with ec2-consistent-snapshot to do exactly what you're trying to do:




Improving Security on EC2 With AWS Identity and Access Management (IAM)
http://alestic.com/2010/09/aws-iam




I have set up an Ubuntu PPA for easy installation of ec2-consistent-snapshot and its dependencies. Other distros will require a bit more work, but it's just a script written in Perl, so it is highly portable.



I'm also in the process of moving the master source for ec2-consistent-snapshot from bazaar to github to make it easier for folks to review and fork.


-

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

linux - How to SSH to ec2 instance in VPC private subnet via NAT server

I have created a VPC in aws with a public subnet and a private subnet. The private subnet does not have direct access to external network. S...