Credentials for multiple AWS accounts on EC2 instance

Question

I am looking for a way to access AWS resources on multiple AWS accounts using AWS SDK (Java, probably irrelevant) running on an EC2 instance.

To be more precise, imagine there are two AWS accounts:

• test
• prod

There is a Java application running on an EC2 instance for prod account that creates for example an instance of AmazonEC2Client (from AWS Java SDK). I would like to be able to create the client instance for both test and prod accounts from there.

I am able to do this using profiles on local machine, but haven't figured out how to do this on EC2 instance.

Answer 1

You can do it one of two ways;

AssumeRole

Use the AWS Security Token Service to AssumeRole. The actual implementation would be up to you, but you can assign an IAM Role to the EC2 Instance, and then use the AssumeRole function in the Java SDK to switch from a production role to testing (or vice versa).

Profiles

It sounds like you've already figured out how to do this locally, but it could be replicated in EC2 (depending on the use case). That said, I would strongly advise against it and instead follow best practices and use STS:AssumeRole (above).

---

Realistically, it would probably be best (making some assumptions here about what you are actually trying to do) to have a separate EC2 instance for production and testing, in which case you can assign appropriate roles as needed.

Moreover, if we are talking about a larger deployment, you may want to explore Consolidated Billing which would let you isolate your production and testing environments completely by using separate AWS accounts for each (but a single billing account). To learn more about it, I would suggest taking a look at this article: https://blog.codeship.com/separate-aws-production-and-development-accounts/