Problem:
Configuring credentials through CLI in an EC2 instance is not considered a good practice. Instead should use IAM roles.
Solution Summary:
Will configure and use IAM roles instead of configuring credentials in AWS CLI.
Prerequisites:
Created and launched an EC2 instance.
Solution Steps:
-
Login to AWS console and go to IAM:
-
Go to Roles (side menu)
-
Create a role: Give any name, select role type as Amazon EC2, Attach following policies: AmazonS3FullAccess.
-
-
Go to EC2:
-
Launch a new instance: Select Amazon Linux AMI, t2 micro, select the role we created against IAM roles, tag as (Key: Name, Value:DemoEC2-WithRoles), use existing web dmz security group (or create one if needed), use existing EC2 key-pair(or create one if needed).
-
Verify that role is attached from the dashboard.
-
Wait until the EC2 instance is up and running.
-
-
Connect to the EC2 instance through ssh and elevate privileges: sudo su
-
Verify that there is no .aws folder:
-
cd ~
-
ls –a
-
-
Run again: aws s3 ls
-
It should list your S3 buckets.
-
-
Try running: aws s3 help
-
It should give a good description of this command with all available options.
-
-
Remove the EC2 instance.
-
Remove the user(s) created.
Exam Tips
-
You can only assign a role to an EC2 instance, only when you create that instance. However we can change the policy document for a role anytime.
-
Roles are universal; you can use them in any region.
Recent comments