Date
1 - 5 of 5
AWS IAM Roles
|
Danny Berger <dpb587@...>
Hi - I'm interested in being able to assign IAM Roles
<http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-roles-for-amazon-ec2.html> to my AWS VMs. My goal is to avoid AWS credentials in my deployment manifests and, instead, let my deployed jobs utilize the AWS metadata endpoint to retrieve the latest credentials. I'm also hoping such a change might eventually work for micro/boshes that bosh-init creates, avoiding the need to manually rotate those powerful keys. I imagine this as a new, AWS-specific cloud option for resource pools. Is this something which would be considered as a PR, and are there any particular considerations I should take before implementing this? Thanks! Danny -- Danny Berger http://dpb587.me
|
|
|
|
James Bayer
dave rocamora has been looking into this a bit and getting some advice from
toggle quoted messageShow quoted text
dmitriy: https://github.com/drocamor/bosh/commit/941215ee3076923c1c2aaf69d4d57df6b439e71c
On Tue, Aug 4, 2015 at 4:43 PM, Danny Berger <dpb587(a)gmail.com> wrote:
Hi - I'm interested in being able to assign IAM Roles --
Thank you, James Bayer
|
|
|
|
Danny Berger <dpb587@...>
Thanks! That looks very promising - I'll give it a try.
toggle quoted messageShow quoted text
On Tue, Aug 4, 2015 at 8:43 PM, James Bayer <jbayer(a)pivotal.io> wrote:
dave rocamora has been looking into this a bit and getting some advice
|
|
|
|
Sean Keery <skeery@...>
I would like to see the use of the valet key pattern in this case instead
toggle quoted messageShow quoted text
of using the latest credentials. That way my CI can commit the BOSH deployment manifest to source control and I can trace any changes which use that unique key (ideally just one.) It also let's me eliminate a spiff merge of the credentials from a separate repository. Sean
On Tue, Aug 4, 2015 at 10:43 PM, James Bayer <jbayer(a)pivotal.io> wrote:
dave rocamora has been looking into this a bit and getting some advice --
Sean Keery Senior Solutions Architect Pivotal <http://www.pivotal.io/> Cloud Foundry Solutions Mobile: 970.274.1285 | skeery(a)pivotal.io LinkedIn: @zgrinch <http://www.linkedin.com/in/zgrinch> | Twitter: @zgrinch <https://twitter.com/zgrinch> | Github: @skibum55 <https://github.com/skibum55>
|
|
|
|
James Bayer
sean,
toggle quoted messageShow quoted text
i think you'll find the approach being implemented by david takes us down the path that enables a IAM roles best-practice recommended by amazon. IAM credentials can be provided by the AWS metadata service inside the bosh director instance [1] and the credentials rotated transparently to the bosh configuration since the AWS SDK knows to use the metadata service to retrieve credentials. [1] http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-metadata.html#instancedata-data-categories
On Fri, Aug 7, 2015 at 11:53 AM, Sean Keery <skeery(a)pivotal.io> wrote:
I would like to see the use of the valet key pattern in this case instead --
Thank you, James Bayer
|
|
|