Wednesday, September 22, 2010

Playing with AWS Access Identity Management

Today I finally found some time to play with AWS Identity and Access Management. If you hadn't seen the announcement, or aren't familiar, the IAM tools basically allow you to create, manage, and limit multiple AWS accounts under a single account.


There are 2 reasons that immediately spring to mind for when you should use this:

  • If you're sharing an single AWS account between multiple people, then using this is almost required.
  • you want to use some AWS facility from inside an EC2 instance. Here, it just seems scary to put the entire keys to your account onto a remote machine.
To get started, I walked through the Getting Started guide. I downloaded the IAM Tools, and set them up as described. On Ubuntu, that consisted of:



$ wget http://awsiammedia.s3.amazonaws.com/public/tools/cli/latest/IAMCli.zip
$ unzip IAMCli.zip
$ vi my-account-creds.txt
$ cat my-account-creds.txt
AWSAccessKeyId=ABCDEFGHIJKLMNOPQRST
AWSSecretKey=zyxwvutsrqponmlkjihgfedcbazyxwvutsrqponm
$ export AWS_CREDENTIAL_FILE=my-account-creds.txt
$ export AWS_IAM_HOME=$PWD/IAMCli
$ export PATH=$AWS_IAM_HOME:$PATH JAVA_HOME=/usr


Then, I created a user and admin group as described in the guide:


$ iam-groupcreate -g admins
$ cat AdminGroupPolicy.txt
{
   "Statement":[{
      "Effect":"Allow",
      "Action":"*",
      "Resource":"*"
      }
   ]
}

$ iam-groupuploadpolicy -g admins -p AdminGroupPolicy -f AdminGroupPolicy.txt
$ iam-usercreate -u smoser -g Admins -k -v
TSRQPONMLKJIHGFEDCBA
mnopqrstuvwxyzabcdefghijklmnopqrstuvwxyz
arn:aws:iam::950047163771:user/smoser
AHDAIABBGZ3Q31XMUE4AN


The first line of the iam-createuser output is the AWSAccessKeyId, and the second is the AWSSecretKey. I quickly added those to a file my-user-creds.txt as shown above, and set AWS_CREDENTIAL_FILE=my-user-creds.txt .

That's all it took. Now I have a set of credentials that I can use, and if they're lost or stolen, I can revoke them with the (now safely locked up) account credentials.

At this point, I could use the euca2ools with a config file like:

$ cat my-user-eucarc
AWSAccessKeyId=ABCDEFGHIJKLMNOPQRST
AWSSecretKey=mnopqrstuvwxyzabcdefghijklmnopqrstuvwxyz
EC2_SECRET_KEY=${AWSSecretKey}
EC2_ACCESS_KEY=${AWSAccessKeyId}
EC2_USER_ID=950047163771
EC2_URL=https://ec2.amazonaws.com
S3_URL=https://s3.amazonaws.com:443
EC2_CERT=/etc/ec2/cert-ec2.pem
$ euca-describe-instances --config my-user-eucarc


Additionally, the above will also suffice as an AWS_CREDENTIAL_FILE for the iam-tools.

Thats great, but for one reason or another, I end up using the ec2-api-tools for a large amount of my work. Those tools require a private key and certificate. So, I had to go about creating one for my new user. Thanks to Nate@AWS in an EC2 Forum Post, that was easy also.


$ openssl version
OpenSSL 0.9.8o 01 Jun 2010
$ openssl genrsa 1024 > pk.pem
$ openssl req -new -x509 -nodes -sha1 -days 730 -key pk.pem -out cert.pem
# follow prompts here
$ iam-useraddcert -u smoser -f cert.pem
$ export EC2_PRIVATE_KEY=$PWD/pk.pem EC2_CERT=$PWD/cert.pem
$ ec2-describe-instances ...


Now my ec2-api-tools are functional. I have to admit to not completely understanding the implications of self signing a certificate here and uploading it. However, as I was authenticated to do the upload (via https and the given credentials) and only my user will use that signing key, I don't know what harm there could be.

Now I have the following TODOs:
  • Post about creating an IAM Policy
  • package the IAM tools for Ubuntu multiverse

Updates:

  • 2010-10-12: update case in AWS_IAM_HOME string ('IamCli' -> 'IAMCli')

4 comments:

  1. Quick note for windows users,
    you may use S3 Browser's IAM Tool: http://s3browser.com/iam-aws-identity-and-access-management.php

    ReplyDelete
  2. Thanks for the guides - however I have some improvements :) As the IAMCli.zip extracts to a folder with the version number attached, you need to be a little clever about obtaining the correct path. Also, your PATH environment variable is missing the bin sub-folder for the IAM folder. I use the following:

    $ export AWS_IAM_HOME=`cd IAMCli-* && pwd`
    $ export PATH=$AWS_IAM_HOME/bin:$PATH

    ReplyDelete
  3. @Matt,
    Thanks for the corrections. Also, please note that we now have official Ubuntu packages in the 11.04 archive (in multiverse).
    We've made packages available for 10.04 and 10.10 in the ppa at https://launchpad.net/~awstools-dev/+archive/awstools .

    ReplyDelete
  4. This comment has been removed by a blog administrator.

    ReplyDelete