stackoom
  简体   繁体   中英

opscode aws cookbook iam role

 原文  2014-05-08 13:10:33       amazon-web-services/ chef/ amazon-iam/ cookbook

Question

I am trying to use aws cookbook with iam roles, but when I trying to not include aws_access_key and aws_secret_access_key in the aws_ebs_volume block, the chef keep showing an error: RightAws::AwsError: AWS access keys are required to operate on EC2.

I assume when cookbook mean omit the resource parameters aws_secret_access_key and aws_access_key, I just delete them from the block. 

aws_ebs_volume "userhome_volume" do
   provider "aws_ebs_volume"
   volume_id node['myusers']['usershome_ebs_volid']
   availability_zone node['myusers']['usershome_ebs_zone']
   device node['myusers']['usershome_ebs_dev_id']
   action :attach
end

Does anyone have the example of aws cookbook with iam roles please?

update:

  1. Do I still need to define aws creeds data bag if I have already have proper iam role attached to the instance?

  2. When I use iam role and aws cookbook, what does the was_ebs_volume block look like?

1 answers

solution1
 1  2014-05-08 13:57:38

In order to manage AWS components, you need to provide authentication credentials to the nodein one of two ways:

  1. explicitly pass credentials parameter to the resource
  2. or let the resource pick up credentials from the IAM role assigned to the instance

When you provision the instance, you should assign it the appropriate role in "Step 3. Configure Instance Details" (when using the console). The setting "IAM role" for EC2 automatically deploys and rotates AWS credentials for you, eliminating the need to store your AWS access keys with your application. On an instance provisioned this way, you no longer need to include aws_access_key and aws_secret_access_key in the aws_ebs_volume block. Here are code examples on how to launch an instance with an IAM role using the IAM and Amazon EC2 CLIs:

http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-roles-for-amazon-ec2.html

and here are some code examples:

http://www.getchef.com/blog/2013/12/19/automating-iam-credentials-with-ruby-and-chef/

When you assign the appropriate IAM role during instance provisioning, your code should work without aws_access_ke y and aws_secret_access_key .

Here are the steps:

  1. Set up your S3, Chef server, and IAM role as described here: https://securosis.com/blog/using-amazon-iam-roles-to-distribute-security-credentials-for-chef

  2. Execute “knife client ./” to create client.rb and validation.pem, then transfer them from your Chef server into your bucket.

  3. Launch a new instance with the appropriate IAM Role you set up for Chef and your S3 bucket. Specify your customized cloud-init script in the User Data field or command-line argument as described here:

    https://securosis.com/blog/using-cloud-init-and-s3cmd-to-automatically-download-chef-credentials

    You can also host the script as a file and load it from a central repository using an include.

  4. Execute chef-client.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question AWS IAM role assuming AWS IAM role expiry IAM role for AWS workspace Identify AWS IAM user that assumed an IAM role Difference between IAM role and IAM user in AWS AWS Security Group and IAM Role Resources attached to an AWS IAM Role MongoAtlas AWS IAM Role Authentication Trusted Entities in the AWS IAM role AWS IAM Role permission issue
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM