I added a user "Snapshotter" to my AWS account (via IAM) with permission just to ebs:CreateSnapshot
.
On one of my instances I want to have a script that periodically created a snapshot, but without storing on that instance any credentials or certificates that allow more permissive access to the account or to other EC2 commands.
How do I achieve that?
In the IAM I can get the "secret access key" and the "access key ID" for the Snapshotter user, but it appears like the private key and X509 certificates are only for the entire account and hence would entail full access.
$ ec2-create-snapshot -h
SYNOPSIS
ec2addsnap ([ec2-create-snapshot])
ec2addsnap [GENERAL OPTIONS] -d DESCRIPTION VOLUME
...
GENERAL OPTIONS
-K, --private-key KEY
Specify KEY as the private key to use. Defaults to the value of the
EC2_PRIVATE_KEY environment variable (if set). Overrides the default.
-C, --cert CERT
Specify CERT as the X509 certificate to use. Defaults to the value
of the EC2_CERT environment variable (if set). Overrides the default.
Answer
One option is to invoke the ec2-create-snapshot API call using the REST interface instead of the SOAP interface. This lets you use the "access key ID" and "secret access key" instead of the x509 cert/pk.
I have written a command line program named ec2-consistent-snapshot which uses the ec2-create-snapshot REST API.
http://alestic.com/2009/09/ec2-consistent-snapshot
If you don't use any of the command line options that trigger the "consistent" aspect of creating the snapshot, then it is basically the same as the ec2-create-snapshot command line (except that it runs ten times faster).
Here's an article I wrote which has step-by-step instructions for using IAM with ec2-consistent-snapshot to do exactly what you're trying to do:
Improving Security on EC2 With AWS Identity and Access Management (IAM)
http://alestic.com/2010/09/aws-iam
I have set up an Ubuntu PPA for easy installation of ec2-consistent-snapshot and its dependencies. Other distros will require a bit more work, but it's just a script written in Perl, so it is highly portable.
I'm also in the process of moving the master source for ec2-consistent-snapshot from bazaar to github to make it easier for folks to review and fork.
No comments:
Post a Comment