Menu
How do I specify that I want to use Instance profile credentials when using the AWS CLI from within my EC2 instance? the docs say:
Instance profile credentials – these credentials can be used on EC2
instances with an assigned instance role, and are delivered through
the Amazon EC2 metadata service.
Is this automatic or do I need to call the metadata service and save the returned credentials to the ~/.aws/credentials file...then make the call?
893
The credentials file is located at ~/. aws/credentials on Linux or macOS, or at C:\Users\ USERNAME \. aws\credentials on Windows. This file can contain the credential details for the default profile and any named profiles.
When you run the AWS CLI from within an Amazon Elastic Compute Cloud (Amazon EC2) instance, you can simplify providing credentials to your commands. Each Amazon EC2 instance contains metadata that the AWS CLI can directly query for temporary credentials.
Applications that run on an Amazon EC2 instance must include AWS credentials in the AWS API requests. You could have your developers store AWS credentials directly within the Amazon EC2 instance and allow applications in that instance to use those credentials.
Instance profiles are an AWS feature that allows EC2 instances to connect to other AWS resources with temporary credentials. These credentials are short-lived and are automatically rotated by AWS. Users can only request temporary credentials from within EC2 instances.
You are talking about IAM Roles. These are attached to the EC2 instance and the keys are rolled/rotated every four hours.
You do not need to pull those from the instance metadata and supply it to the aws-cli or a SDK, they will pull it automatically.
If you run aws-cli with the --debug flag, you should see the credentials being picked up:
$ aws --debug s3 ls
...
2015-03-10 18:15:04,459 - MainThread - botocore.credentials - DEBUG - Looking for credentials via: iam-role
2015-03-10 18:15:04,465 - MainThread - botocore.vendored.requests.packages.urllib3.connectionpool - INFO - Starting new HTTP connection (1): 169.254.169.254
2015-03-10 18:15:04,466 - MainThread - botocore.vendored.requests.packages.urllib3.connectionpool - DEBUG - "GET /latest/meta-data/iam/security-credentials/ HTTP/1.1" 200 37
2015-03-10 18:15:04,468 - MainThread - botocore.vendored.requests.packages.urllib3.connectionpool - INFO - Starting new HTTP connection (1): 169.254.169.254
2015-03-10 18:15:04,469 - MainThread - botocore.vendored.requests.packages.urllib3.connectionpool - DEBUG - "GET /latest/meta-data/iam/security-credentials/myrole-snipped HTTP/1.1" 200 898
2015-03-10 18:15:04,469 - MainThread - botocore.credentials - INFO - Found credentials from IAM Role: myrole-snipped
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
