AWS IAM Roles


Danny Berger <dpb587@...>
 

Hi - I'm interested in being able to assign IAM Roles
<http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-roles-for-amazon-ec2.html>
to my AWS VMs. My goal is to avoid AWS credentials in my deployment
manifests and, instead, let my deployed jobs utilize the AWS metadata
endpoint to retrieve the latest credentials.

I'm also hoping such a change might eventually work for micro/boshes that
bosh-init creates, avoiding the need to manually rotate those powerful keys.

I imagine this as a new, AWS-specific cloud option for resource pools. Is
this something which would be considered as a PR, and are there any
particular considerations I should take before implementing this?

Thanks!

Danny


--
Danny Berger
http://dpb587.me


James Bayer
 

dave rocamora has been looking into this a bit and getting some advice from
dmitriy:
https://github.com/drocamor/bosh/commit/941215ee3076923c1c2aaf69d4d57df6b439e71c

On Tue, Aug 4, 2015 at 4:43 PM, Danny Berger <dpb587(a)gmail.com> wrote:

Hi - I'm interested in being able to assign IAM Roles
<http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-roles-for-amazon-ec2.html>
to my AWS VMs. My goal is to avoid AWS credentials in my deployment
manifests and, instead, let my deployed jobs utilize the AWS metadata
endpoint to retrieve the latest credentials.

I'm also hoping such a change might eventually work for micro/boshes that
bosh-init creates, avoiding the need to manually rotate those powerful keys.

I imagine this as a new, AWS-specific cloud option for resource pools. Is
this something which would be considered as a PR, and are there any
particular considerations I should take before implementing this?

Thanks!

Danny


--
Danny Berger
http://dpb587.me
--
Thank you,

James Bayer


Danny Berger <dpb587@...>
 

Thanks! That looks very promising - I'll give it a try.

On Tue, Aug 4, 2015 at 8:43 PM, James Bayer <jbayer(a)pivotal.io> wrote:

dave rocamora has been looking into this a bit and getting some advice
from dmitriy:

https://github.com/drocamor/bosh/commit/941215ee3076923c1c2aaf69d4d57df6b439e71c

On Tue, Aug 4, 2015 at 4:43 PM, Danny Berger <dpb587(a)gmail.com> wrote:

Hi - I'm interested in being able to assign IAM Roles
<http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-roles-for-amazon-ec2.html>
to my AWS VMs. My goal is to avoid AWS credentials in my deployment
manifests and, instead, let my deployed jobs utilize the AWS metadata
endpoint to retrieve the latest credentials.

I'm also hoping such a change might eventually work for micro/boshes that
bosh-init creates, avoiding the need to manually rotate those powerful keys.

I imagine this as a new, AWS-specific cloud option for resource pools. Is
this something which would be considered as a PR, and are there any
particular considerations I should take before implementing this?

Thanks!

Danny


--
Danny Berger
http://dpb587.me


--
Thank you,

James Bayer
--
Danny Berger
http://dpb587.me


Sean Keery <skeery@...>
 

I would like to see the use of the valet key pattern in this case instead
of using the latest credentials. That way my CI can commit the BOSH
deployment manifest to source control and I can trace any changes which use
that unique key (ideally just one.) It also let's me eliminate a spiff
merge of the credentials from a separate repository.

Sean

On Tue, Aug 4, 2015 at 10:43 PM, James Bayer <jbayer(a)pivotal.io> wrote:

dave rocamora has been looking into this a bit and getting some advice
from dmitriy:

https://github.com/drocamor/bosh/commit/941215ee3076923c1c2aaf69d4d57df6b439e71c

On Tue, Aug 4, 2015 at 4:43 PM, Danny Berger <dpb587(a)gmail.com> wrote:

Hi - I'm interested in being able to assign IAM Roles
<http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-roles-for-amazon-ec2.html>
to my AWS VMs. My goal is to avoid AWS credentials in my deployment
manifests and, instead, let my deployed jobs utilize the AWS metadata
endpoint to retrieve the latest credentials.

I'm also hoping such a change might eventually work for micro/boshes that
bosh-init creates, avoiding the need to manually rotate those powerful keys.

I imagine this as a new, AWS-specific cloud option for resource pools. Is
this something which would be considered as a PR, and are there any
particular considerations I should take before implementing this?

Thanks!

Danny


--
Danny Berger
http://dpb587.me


--
Thank you,

James Bayer
--
Sean Keery
Senior Solutions Architect
Pivotal <http://www.pivotal.io/> Cloud Foundry Solutions
Mobile: 970.274.1285 | skeery(a)pivotal.io
LinkedIn: @zgrinch <http://www.linkedin.com/in/zgrinch> | Twitter: @zgrinch
<https://twitter.com/zgrinch> | Github: @skibum55
<https://github.com/skibum55>


James Bayer
 

sean,

i think you'll find the approach being implemented by david takes us down
the path that enables a IAM roles best-practice recommended by amazon. IAM
credentials can be provided by the AWS metadata service inside the bosh
director instance [1] and the credentials rotated transparently to the bosh
configuration since the AWS SDK knows to use the metadata service to
retrieve credentials.

[1]
http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-metadata.html#instancedata-data-categories

On Fri, Aug 7, 2015 at 11:53 AM, Sean Keery <skeery(a)pivotal.io> wrote:

I would like to see the use of the valet key pattern in this case instead
of using the latest credentials. That way my CI can commit the BOSH
deployment manifest to source control and I can trace any changes which use
that unique key (ideally just one.) It also let's me eliminate a spiff
merge of the credentials from a separate repository.

Sean

On Tue, Aug 4, 2015 at 10:43 PM, James Bayer <jbayer(a)pivotal.io> wrote:

dave rocamora has been looking into this a bit and getting some advice
from dmitriy:

https://github.com/drocamor/bosh/commit/941215ee3076923c1c2aaf69d4d57df6b439e71c

On Tue, Aug 4, 2015 at 4:43 PM, Danny Berger <dpb587(a)gmail.com> wrote:

Hi - I'm interested in being able to assign IAM Roles
<http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-roles-for-amazon-ec2.html>
to my AWS VMs. My goal is to avoid AWS credentials in my deployment
manifests and, instead, let my deployed jobs utilize the AWS metadata
endpoint to retrieve the latest credentials.

I'm also hoping such a change might eventually work for micro/boshes
that bosh-init creates, avoiding the need to manually rotate those powerful
keys.

I imagine this as a new, AWS-specific cloud option for resource pools.
Is this something which would be considered as a PR, and are there any
particular considerations I should take before implementing this?

Thanks!

Danny


--
Danny Berger
http://dpb587.me


--
Thank you,

James Bayer


--
Sean Keery
Senior Solutions Architect
Pivotal <http://www.pivotal.io/> Cloud Foundry Solutions
Mobile: 970.274.1285 | skeery(a)pivotal.io
LinkedIn: @zgrinch <http://www.linkedin.com/in/zgrinch> | Twitter:
@zgrinch <https://twitter.com/zgrinch> | Github: @skibum55
<https://github.com/skibum55>



--
Thank you,

James Bayer