AWS Elastic Beanstalk now supports IAM roles to make it easier for you to securely access AWS services from your application. Elastic Beanstalk already makes it easy to run your applications on AWS by automatically provisioning, configuring, and managing many AWS resources on your behalf.
The Elastic Beanstalk management console and the eb command line can now provision an IAM role and its associated instance profile, and then assign it to your environment. You can also use an existing role if you have one that you want to share across environments.
Roles and Profiles in Action
In the past, if your application needed to call an AWS service API (such as DynamoDB or CloudWatch), you most likely passed the AWS access key and secret key to your application using Elastic Beanstalk environment variables.
You start by creating a new instance profile or selecting an existing one when you create your Elastic Beanstalk application. Among other things, the instance profile contains the IAM role:
With IAM roles, temporary AWS credentials are securely provisioned on EC2 instances within your environment. These temporary credentials are automatically rotated for you multiple times per day. To use the credentials with an AWS SDK, you simply initialize the client of your choice and the AWS SDK will do the rest. Here’s an example that puts a data point into CloudWatch:
The IAM role must have the necessary permissions to call the CloudWatch API. Here’s a sample policy:
Roll With It
This feature is available now and you can start using it today.
-- Saad and Jeff