stackoom
  简体   繁体   中英

ec2-user vs root IAM instance profile change

 原文  2020-12-16 02:39:35       amazon-web-services/ amazon-ec2/ amazon-iam

Question

I have a CloudFormation based deployment of an application, which creates an Amazon Linux 2 EC2 instance from a Marketplace AMI with an IAM Instance Profile. In the CloudFormation template, I am running scripts via cfn-init which have some AWS CLI commands in them, like ssm get-parameter, and also am mounting an EFS volume using mount and amazon-efs-utils. This has been working like a charm.

Now I have a customer who is running in their AWS account using the common AMI and CloudFormation templates. For them, the cfn-init is failing because cfn-init is running as root, but root strangely has no IAM privileges and can't run the scripts or the efs-helper based mount, even though the Instance Profile is there. But ec2-user does have IAM privileges from the Instance Profile!

To summarize:

ec2-user does have IAM privileges from the Instance Profile. 

# logged in as ec2-user
aws ssm get-parameter --name "/aParameter"

returns a result

root does not have IAM privileges from the Instance Profile. 

# logged in as ec2-user
sudo aws ssm get-parameter --name "/aParameter"

An error occurred (ParameterNotFound) when calling the GetParameter operation:

I expected that all users running in the instance would have the Instance Profile as their credentials if they have not explicitly authenticated some other way. I can't see anything in the customer's environment that would cause this - I was thinking maybe a Service Control Policy - but they have none of that.

Has anyone seen this behavior and have a fix?

Thanks so much in advance.....

2 answers

solution1
 0  2020-12-16 13:43:35

I have no idea about the relationship between ec2-user and instance profile. ec2-user is a user on linux. instance profile is an IAM role attached to an EC2 instance. I think you can check with other commands like aws s3 ls . Btw, you are using sudo with root.

solution2
 0  2020-12-16 20:36:40

Turns out AWS credentials were left in the root user on the AMI. :-/

Asri Badlah's aws iam get-user suggestion showed the problem. Thank you!

The instance profile did not have access to get-user, but sudo get-user did and showed the user from the credentials in /root/.aws.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question user permissions in Amazon Linux: root vs ec2-user Removed ec2-user from root group AWS instance profile vs IAM user role Go from AWS root to ec2-user AWS ec2-user vs regular users and access to GPU AWS IAM: allow IAM user to change EC2 instance type only AWS IAM Instance Profile to Administer EC2 Instances With that Profile Accessing ec2 instance via ftp/ssh from user other than ec2-user login using “ec2-user” instead of root using user data in aws EC2 - Unable to login with ec2-user
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM