Monday, September 27, 2010

Using Policies in AWS Identity and Access Management

For a project I'm working on here at work, I wanted to create a AWS user that could only launch instances, but could not write to S3, query SDB

{
 "Statement":[ {
    "Effect":"Allow",
    "Action":["ec2:RunInstances","ec2:RebootInstances",
              "ec2:GetConsoleOutput", "ec2:DescribeInstances" ],
    "Resource":"*"
  }, {
    "Effect":"Allow",
    "Action":["ec2:StopInstances","ec2:StartInstances",
              "ec2:TerminateInstances"],
    "Resource":"*"
  }, {
    "Effect":"Allow",
    "Action":["ec2:DescribeImages"],
    "Resource":"*"
  }, {
    "Effect":"Deny",
    "NotAction":["ec2:*"],
    "Resource":"*"
  } ]
}


I had hoped that I could allow this user to create his own security groups and keypairs (for launching instances with 'ec2-run-instances --key', and that I could also allow him to modify or delete those items as well. Unfortunately, I was not able to figure out how to do this. What I had hoped I could do was something like was something like:
{
  "Effect":"Allow",
  "Action":["ec2:*SecurityGroup*"],
  "Condition" :  {
     "StringLike": {
        "ec2:groupName":"foouser*"
     }
  },
  "Resource":"*"
},
{
  "Effect":"Allow",
  "Action":["ec2:*KeyPair*"],
  "Condition" :  {
     "StringLike": {
        "ec2:keyName":"foouser*"
     }
  },
  "Resource":"*"
}

The 'keyName' is an atribute of the [Add,Delete,Describe]KeyPair API calls, and 'groupName' is an attribute of the [Add,Delete]SecurityGroups and AuthorizeSecurityGroupIngress API calls as described in the EC2 API

My goal was to limit the user ('foouser') to manipulating SecurityGroups or KeyPairs that begain with 'foouser'. This would be a clear indication to other users of the account when they came across them.

However, the 'Condition' syntax isn't as "open" as that (couldn't think of a better term for than 'open'). I can think of reasons as to why it would be difficult or undesireable to make Conditions function like I wanted, but it would have been nice.

The IAM EC2 documentation indicates that EC2 only supports the following Condition types: aws:CurrentTime aws:EpochTime aws:SecureTransport aws:SourceIp and aws:UserAgent.

It seems to me that SecurityGroups and keypairs are an essential piece of Using EC2, but it seems like these are stuck at the account level, with no ability to limit them at the user level.

Another thing that I would like to do is give the user the ability to launch / stop / start / terminate her own instances, but not other users of the account. If I truly try to use IAM to split up my account usage, say with 'Development' and 'Production' users or groups, this is essential. When I use the 'Development' user I want to be protected from an accidental reboot or terminate of a 'Production' instance.

For example, I test our Official Ubuntu images. The testing scripts launch several instances. While they're running, I'll often be doing development, and also have an instance running. I would like my 'development' work to not accidentally terminate (or otherwise affect) my test runs. As it is right now, a 'euca-describe-instances' will show me all instances in either account, just waiting for me to copy and paste wrong and terminate one.

It is quite possible that I've missed something, if so, please let me know.

Wednesday, September 22, 2010

Playing with AWS Access Identity Management

Today I finally found some time to play with AWS Identity and Access Management. If you hadn't seen the announcement, or aren't familiar, the IAM tools basically allow you to create, manage, and limit multiple AWS accounts under a single account.


There are 2 reasons that immediately spring to mind for when you should use this:

  • If you're sharing an single AWS account between multiple people, then using this is almost required.
  • you want to use some AWS facility from inside an EC2 instance. Here, it just seems scary to put the entire keys to your account onto a remote machine.
To get started, I walked through the Getting Started guide. I downloaded the IAM Tools, and set them up as described. On Ubuntu, that consisted of:



$ wget http://awsiammedia.s3.amazonaws.com/public/tools/cli/latest/IAMCli.zip
$ unzip IAMCli.zip
$ vi my-account-creds.txt
$ cat my-account-creds.txt
AWSAccessKeyId=ABCDEFGHIJKLMNOPQRST
AWSSecretKey=zyxwvutsrqponmlkjihgfedcbazyxwvutsrqponm
$ export AWS_CREDENTIAL_FILE=my-account-creds.txt
$ export AWS_IAM_HOME=$PWD/IAMCli
$ export PATH=$AWS_IAM_HOME:$PATH JAVA_HOME=/usr


Then, I created a user and admin group as described in the guide:


$ iam-groupcreate -g admins
$ cat AdminGroupPolicy.txt
{
   "Statement":[{
      "Effect":"Allow",
      "Action":"*",
      "Resource":"*"
      }
   ]
}

$ iam-groupuploadpolicy -g admins -p AdminGroupPolicy -f AdminGroupPolicy.txt
$ iam-usercreate -u smoser -g Admins -k -v
TSRQPONMLKJIHGFEDCBA
mnopqrstuvwxyzabcdefghijklmnopqrstuvwxyz
arn:aws:iam::950047163771:user/smoser
AHDAIABBGZ3Q31XMUE4AN


The first line of the iam-createuser output is the AWSAccessKeyId, and the second is the AWSSecretKey. I quickly added those to a file my-user-creds.txt as shown above, and set AWS_CREDENTIAL_FILE=my-user-creds.txt .

That's all it took. Now I have a set of credentials that I can use, and if they're lost or stolen, I can revoke them with the (now safely locked up) account credentials.

At this point, I could use the euca2ools with a config file like:

$ cat my-user-eucarc
AWSAccessKeyId=ABCDEFGHIJKLMNOPQRST
AWSSecretKey=mnopqrstuvwxyzabcdefghijklmnopqrstuvwxyz
EC2_SECRET_KEY=${AWSSecretKey}
EC2_ACCESS_KEY=${AWSAccessKeyId}
EC2_USER_ID=950047163771
EC2_URL=https://ec2.amazonaws.com
S3_URL=https://s3.amazonaws.com:443
EC2_CERT=/etc/ec2/cert-ec2.pem
$ euca-describe-instances --config my-user-eucarc


Additionally, the above will also suffice as an AWS_CREDENTIAL_FILE for the iam-tools.

Thats great, but for one reason or another, I end up using the ec2-api-tools for a large amount of my work. Those tools require a private key and certificate. So, I had to go about creating one for my new user. Thanks to Nate@AWS in an EC2 Forum Post, that was easy also.


$ openssl version
OpenSSL 0.9.8o 01 Jun 2010
$ openssl genrsa 1024 > pk.pem
$ openssl req -new -x509 -nodes -sha1 -days 730 -key pk.pem -out cert.pem
# follow prompts here
$ iam-useraddcert -u smoser -f cert.pem
$ export EC2_PRIVATE_KEY=$PWD/pk.pem EC2_CERT=$PWD/cert.pem
$ ec2-describe-instances ...


Now my ec2-api-tools are functional. I have to admit to not completely understanding the implications of self signing a certificate here and uploading it. However, as I was authenticated to do the upload (via https and the given credentials) and only my user will use that signing key, I don't know what harm there could be.

Now I have the following TODOs:
  • Post about creating an IAM Policy
  • package the IAM tools for Ubuntu multiverse

Updates:

  • 2010-10-12: update case in AWS_IAM_HOME string ('IamCli' -> 'IAMCli')

Thursday, September 9, 2010

running Ubuntu on an Amazon "micro" instance

Amazon announced today a new instance type. The "micro" instance type (t1.micro) has 613 MB of memory and can be used with AMIs of either x86 or x86_64. The cost for either is only $0.02 per hour.

That means that you can try out Ubuntu on EC2 for 2 measly cents. The official images of Ubuntu 10.04 LTS (Lucid Lynx) are perfect for this. If you're more adventurous and want to try out 10.10, please try out a daily build.

I think this smaller instance size really makes EC2 available to a lot more people. The minimum price for running an instance for a month goes from something like $70 (31 * 24 * 0.095) to less than $15. If you add to that the fact that you can shut down the instance and not be charged for unused CPU time, then start it back up when you need it, it can be really cheap. If you happen to need more CPU power, you can even shut it down, and start it back up with more resources!

So what are you waiting for!

$ MY_LAUNCHPAD_ID="smoser"
$ printf "#cloud-config\n%s\n" "ssh_import_id: [${MY_LAUNCHPAD_ID}]" > user-data.txt
$ ec2-run-instances --region us-east-1 --user-data-file=user-data.txt ami-1234de7b


A few things to note:
  • Bug 634102 has to be worked around or you will not be able to reboot your instance. There are cloud-init debs available in my personal PPA with fixes. 10.10 won't have the issue, and I'll work on getting the fix backported to 10.04.  You can easily fix that by running:

    arch=$(uname -m)
    [ "$arch" = "x86_64" ] && ephd=/dev/sdb || ephd=/dev/sda2
    sudo sed -i.dist "\,${ephd},s,^,#," /etc/fstab

  • One interesting feature of this instance type is that it will run images that are x86 or x86_64 arch. Previously each instance type only ran a single arch.
  • Above, I launched the instance with cloud-config syntax that will pull in my keys from launchpad rather than using public ssh keys stored in EC2. Thats why I didn't need to pass '--key <mykey>'

edits

  • I fixed the ami id above, I had listed a instance-store image.  Also, a thing to note is that with t1.micro instances you *have* to use EBS images.
  • I fixed the 'sed' command above, and fixed the price for m1.small (0.095, not 0.95)