Monday, 7 April 2014

Use an IAM role to authorise code executing in EC2 instances

This is another in a series of videos that I am producing for my YouTube channel HowDoYouDoStuff.

In this video, I am going to show you how to use an IAM role to authorise code executing in EC2 instances

You can read the transcript below.

HTML 5 Player


Hi guys. I’m Phil Stirpe.

In this video, I am going to show you how easy it is to use an IAM role to authorise code executing in EC2 instances.

If you have any EC2 instances running in the AWS cloud, it is highly likely that any code running in them will need access to various AWS services from time to time.

For example you might have an application that must read or write files to or from S3. For that they will need authorisation.

In order to authorise an application or person to access an AWS service, you should 1st create an IAM user account and then assign it a security policy. The problem comes when you need to pass the credentials from an application to the relevant service.

A common mistake is to hardcode these credentials into the application. As you can see, that is what I have done with this user data script. Although this script executes perfectly well (in fact you may have seen it executed in an earlier video) it isn’t secure.

For a start, you may inadvertently disclose the credentials by creating a video demo like this one and showing it on YouTube. More likely you might store your code in a repository such as Git not realising it contained your credentials. The solution is to use IAM roles.

IAM roles are not groups of users. Rather they are entities to which you can assign security policies, and that applications or instances can assume.

Let me show you this other user data script which I wish to pass to an instance. As you can see it does not contain any credentials unlike the other script. Unless the code executes in a context that has permission to access buckets in S3, it will fail. That’s where IAM roles come in.

If I connect to the IAM dashboard, you will see that I have created a role called BootstrapRole. As you can see, I have assigned this role an off-the-shelf security policy which grants it read only access to S3. Any instance that I assign this role to will have the same permissions.

So let’s see that role in action. As with my previous video I’m going to launch an EC2 instance and pass it a user data script.

I am choosing Windows as my script is a Powershell script. I’ll select an m1.medium and then click Configure Instance Details. From there I can expand Advanced Details and then select the file to upload as user data.

I’ll select the script that does not contain credentials and so before I launch I need to select an IAM role to assign to the instance. Any code running in this instance will have whatever privileges are granted in the security policy assigned to that role.

Let me review and launch. Once I’ve selected my key pair the instance will launch.

I will now need to wait a few minutes for the instance to launch and the scripts to execute.

[15 minutes later …]

The instance has now had time to launch and run the bootstrap script. In addition, because this is a Windows server we needed to leave time for the Administrator password to be generated. This is only necessary when you initially launch an instance. It is not required when starting an instance following a shut down.

Let me try connect to the server. I need to pick my key file in order to decrypt the administrator password.

Now that I have the password, I’m going to download the remote desktop file.

I’ll click on that file to open a remote desktop connection and then enter the password that I retrieved earlier.

Once I connect to the server, I’m looking for evidence my user data script executed. That script should have downloaded installers from S3 for Chef Solo which was then going to use a cookbook to install tools such as Notepad++.

As you can see I’ve a number of folders such as chef and opscode. There are also 2 text files. These were created by my script which also installed Chef Solo. The installer for Chef Solo was downloaded from an S3 bucket. Proving that the script had access to S3 due to the instance being assigned an appropriate IAM role.

There you have it.

In this video, I have shown you how easy it is to use an IAM role to authorise code executing in EC2 instances.

Thanks for watching and please feel free to comment on my blog ( and Facebook page ( Perhaps you could suggest more video topics? Most of all, don’t forget to subscribe to keep up with my videos as I release them.

Bye for now.

Flash Player

See you soon

Phil Stirpé
"I don't do average!"

1 comment: