What's the best method for passing AWS credentials as user data to an EC2 instance?

Question

I have a job processing architecture based on AWS that requires EC2 instances query S3 and SQS. In order for running instances to have access to the API the credentials are sen

Answer 1

The best way is to use instance profiles. The basic idea is:

• Create an instance profile
• Create a new IAM role

• Assign a policy to the previously created role, for example:

  { "Statement": [ { "Sid": "Stmt1369049349504", "Action": "sqs:", "Effect": "Allow", "Resource": "" } ] }

• Associate the role and instance profile together.

• When you start a new EC2 instance, make sure you provide the instance profile name.

If all works well, and the library you use to connect to AWS services from within your EC2 instance supports retrieving the credentials from the instance meta-data, your code will be able to use the AWS services.

A complete example taken from the boto-user mailing list:

First, you have to create a JSON policy document that represents what services and resources the IAM role should have access to. for example, this policy grants all S3 actions for the bucket "my_bucket". You can use whatever policy is appropriate for your application.

BUCKET_POLICY = """{
  "Statement":[{
    "Effect":"Allow",
    "Action":["s3:*"],
    "Resource":["arn:aws:s3:::my_bucket"]}]}"""

Next, you need to create an Instance Profile in IAM.

import boto
c = boto.connect_iam()
instance_profile = c.create_instance_profile('myinstanceprofile')

Once you have the instance profile, you need to create the role, add the role to the instance profile and associate the policy with the role.

role = c.create_role('myrole')
c.add_role_to_instance_profile('myinstanceprofile', 'myrole')
c.put_role_policy('myrole', 'mypolicy', BUCKET_POLICY)

Now, you can use that instance profile when you launch an instance:

ec2 = boto.connect_ec2()
ec2.run_instances('ami-xxxxxxx', ..., instance_profile_name='myinstanceprofile')