Today's guest blogger is Anders Samuelsson, a Senior Product Manager on the AWS Identity and Access Management team. Anders has great news for anyone who makes calls to AWS APIs using code that runs on an EC2 instance.
-- Jeff;
Today we are introducing AWS Identity and Access management (IAM) roles for EC2 instances, a new feature that makes it even easier for you to securely access AWS service APIs from your EC2 instances. You can create an IAM role, assign it a set of permissions, launch EC2 instances with the IAM role, and then AWS access keys with the specified permissions are automatically made available on those EC2 instances.
This short video illustrates that it is easy to get started:
Until now, you had to securely get your AWS access keys out to your EC2 instances, which could be challenging when managing large or elastically scaling fleets. You also needed to figure out how to implement security best practices such as regularly rotating your keys. IAM roles for EC2 instances now take care of both of these for you automatically.
IAM roles for EC2 instances are available to be used with:
- ALL EC2 instance types
- Linux and Windows instances
- ALL AMIs
- Amazon VPC
- Spot and Reserved Instances
- North America, South America, Europe, and Asia Pacific regions
Auto Scaling and AWS CloudFormation have also added integration for roles, so that they can start EC2 instances with IAM roles on your behalf, and GovCloud support will be coming soon.
Let’s take a look behind the scenes.
We have introduced a new IAM entity called a role. IAM roles allow applications in your EC2 instances to act on your behalf. Like an IAM user, you use the Access Policy Language to specify permissions. However unlike a user, a role cannot be used to directly call AWS service APIs. A role must be “assumed” by an entity - in this case an EC2 instance, in the future releases perhaps by an IAM user. To extend upon the “AWS Hotel” analogy that we referenced in a prior blog post to explain IAM users, a housekeeper named Sally might be provided an IAM user for her day-to-day responsibilities of cleaning guest rooms, but during yearly fire drills, she can assume the role of Safety Officer, which gives her different permissions (such as access to all rooms in the building, and use of walkie-talkies to coordinate with fire officials).
When you launch an EC2 instance with an IAM role, temporary AWS security credentials with permissions specified by the role will be securely provisioned to the instance and will be made available to your application via the EC2 Instance Metadata Service. The Metadata Service will make new temporary security credentials available prior to the expiration of the current active credentials, so that valid credentials are always available on the instance.
For enhanced security, the temporary security credentials are automatically rotated for you multiple times per day. If you are developing your application with the AWS SDK, all of this will be completely transparent to your application and you only need to make minor adjustments to your code to get started.
If you previously had something similar to the code below:
"AKIAIOSFODNN7EXAMPLE",
"wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY");
CredentialProvider session = new STSSessionCredentialsProvider(creds);
AmazonDynamoDB dynamo = new AmazonDynamoDBClient(session);
With the latest AWS SDK that adds support for IAM roles, you can minimize this code to the following:
And the AWS SDK takes care of the rest! We have tried to remove as much “muck” as possible to enable you to just focus on developing your application. Make sure to visit the Working with Roles section in the Using IAM guide and Using IAM roles with Amazon EC2 Instances in the Amazon EC2 User Guide for additional information about this new and exciting feature.
-- Anders
Will the API tools be updated as well to take advantage of this new feature?
Posted by: Lex Brugman | June 12, 2012 at 04:07 AM
This is a big step forward for AWS. Managing a DevOps shop is scary when handing out IAM accounts to folks that are more "Dev" than "Ops". Limiting access to only select resources just decreased the risk factor for DevOps shops by an order of magnitude.
Posted by: Cloudcontroller | June 12, 2012 at 09:21 AM
This is great and very useful; much better than pushing credential info into environment variables or encrypted files.
It should be noted that caching the credentials (with a 5 minute expiration per your rotation policy) is critical for this to work well, as the IMDS service has extremely wide swings in response time.
For example, using curl to download 'http://169.254.169.254/latest/meta-data/public-ipv4' across 9 mostly unloaded instances gives us this range of times:
real 0m0.436s
real 0m0.505s
real 0m0.528s
real 0m0.752s
real 0m0.809s
real 0m1.005s
real 0m1.079s
real 0m1.362s
real 0m3.281s
Likewise, I'm seeing times up to 15 seconds to download a 2183 byte file from /latest/user-data (on a machine that is essentially unloaded) ... while other instances fetch that same file in 500ms.
Posted by: John Hart | June 12, 2012 at 11:38 AM
It would be great if an instance profile could be added to a running instance, not just at creation.
Posted by: Aaron Bell | June 14, 2012 at 09:51 AM
I'd also love to see online add/remove of IAM Role (even Roles) to runningg EC2 instances. Would be also great if one can change the user metadata without shutdown.
Posted by: Doncho Gunchev | June 19, 2012 at 05:11 AM
Looking at the response from curl http://169.254.169.254/latest/meta-data/iam/security-credentials/{iam role} it appears that the credentials expire in a bit over 6 hours. The documentation bears this out as well, indicating that the credentials are temporary. What's the expectation for instances that will live on beyond the expiry of the temporary credentials?
Posted by: Rckenned | July 07, 2012 at 11:46 PM
@Rckenned - Your AWS SDK should take care of this for you by fetching updated credentials as necessary.
Posted by: Jeff Barr | July 09, 2012 at 06:27 AM
People at Amazon can you invest in ui/ux design. I just feel that everything you do is ugly and imposible to use.
Posted by: Paulius | August 19, 2012 at 11:38 AM