AUTHOR: http://aws.typepad.com/aws/2012/06/iam-roles-for-ec2-instances-simplified-secure-access-to-aws-service-apis-from-ec2.html LINK!

Recent AWS Customer Success Stories & Videos

More AWS Customer Success Stories...

« NASA Saves nearly $1M Per Year By Using AWS | Main | Amazon S3 - The First Trillion Objects »

TrackBack

TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a00d8341c534853ef0163064214e5970d

Listed below are links to weblogs that reference IAM roles for EC2 instances – Simplified Secure Access to AWS service APIs from EC2:

Comments

Feed You can follow this conversation by subscribing to the comment feed for this post.

Lex Brugman

Will the API tools be updated as well to take advantage of this new feature?

Cloudcontroller

This is a big step forward for AWS. Managing a DevOps shop is scary when handing out IAM accounts to folks that are more "Dev" than "Ops". Limiting access to only select resources just decreased the risk factor for DevOps shops by an order of magnitude.

John Hart

This is great and very useful; much better than pushing credential info into environment variables or encrypted files.

It should be noted that caching the credentials (with a 5 minute expiration per your rotation policy) is critical for this to work well, as the IMDS service has extremely wide swings in response time.

For example, using curl to download 'http://169.254.169.254/latest/meta-data/public-ipv4' across 9 mostly unloaded instances gives us this range of times:

real 0m0.436s
real 0m0.505s
real 0m0.528s
real 0m0.752s
real 0m0.809s
real 0m1.005s
real 0m1.079s
real 0m1.362s
real 0m3.281s

Likewise, I'm seeing times up to 15 seconds to download a 2183 byte file from /latest/user-data (on a machine that is essentially unloaded) ... while other instances fetch that same file in 500ms.

Aaron Bell

It would be great if an instance profile could be added to a running instance, not just at creation.

Doncho Gunchev

I'd also love to see online add/remove of IAM Role (even Roles) to runningg EC2 instances. Would be also great if one can change the user metadata without shutdown.

Rckenned

Looking at the response from curl http://169.254.169.254/latest/meta-data/iam/security-credentials/{iam role} it appears that the credentials expire in a bit over 6 hours. The documentation bears this out as well, indicating that the credentials are temporary. What's the expectation for instances that will live on beyond the expiry of the temporary credentials?

Jeff Barr

@Rckenned - Your AWS SDK should take care of this for you by fetching updated credentials as necessary.

Paulius

People at Amazon can you invest in ui/ux design. I just feel that everything you do is ugly and imposible to use.

The comments to this entry are closed.

Featured Events

The AWS Report


Brought to You By

Jeff Barr (@jeffbarr):



Jinesh Varia (@jinman):


Email Subscription

Enter your email address:

Delivered by FeedBurner

April 2014

Sun Mon Tue Wed Thu Fri Sat
    1 2 3 4 5
6 7 8 9 10 11 12
13 14 15 16 17 18 19
20 21 22 23 24 25 26
27 28 29 30