How can I (securely) download a private S3 asset onto a new EC2 instance with cloudinit?

Question

I\'m using CloudFormation to manage a Tomcat webserver stack but am tired of doing raw AMI management for new application versions. I\'d like to move in the direction of Che

Answer 1

An instance with an IAM Role has temporary security credentials that are automatically rotated. They're available via http at http://169.254.169.254/latest/meta-data/iam/security-credentials/RoleName, where RoleName is whatever you called your role. So they're easy to get from your instance, but they expire regularly.

Using them is a bit tough. CloudFormation can't use temporary credentials directly. The Amazon Linux AMI has Python boto installed, and it's now smart enough to find and use those credentials for you automatically. Here's a one-liner you can put in a script to fetch a file from S3 bucket b, key k to local file f:

python -c "import boto;boto.connect_s3().get_bucket('b').get_key('k').get_contents_to_filename('f')"

boto finds and uses the role's temporary credentials for you, which makes it really easy to use.