AWS instance distcp to s3 - Access keys
Question
If I have an EC2 instance created with a role, what is the best practice way to get access keys to do a distcp from hdfs to s3?
I don't want to be sending access keys to the instance using our automated deployment tools because that would mean storing the keys in plain sight. Is there a way for the instance to request a set of keys using the CLI?
I need to have them for hadoop distcp /data s3n://<access_key>:<secret_key>@mybucket/baackup/data
1 answers
solution1
3 ACCPTED 2015-10-18 04:23:29
When an Amazon EC2 instance is launched with a Role, then the instance is given access to temporary security keys via the Instance Metadata Service. It works as follows:
- A Role is created in Identity and Access Management (IAM)
- Appropriate permissions are granted to the role
- An Amazon EC2 instance is launched with that Role selected. If you are using Amazon Elastic MapReduce (EMR) to launch the instances, then they are typically assigned an EMR-specific role (which you can modify
- A set of temporary security credentials are made available to the instance via the URL
http://169.254.169.254/latest/meta-data/iam/security-credentials/
Software that calls the AWS SDK knows to automatically look at this URL to retrieve security credentials. If the software you are using does not automatically look at this URL, you can extract them and pass them to the software.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.