How to refer AWS access key(secret key) in cloud-init without hard coding

Question

I want to write cloud-init script which initializes REX-Ray docker plugin(A service which uses AWS credentials on its configuration). I have considered the following methods. However, these methods have some disadvantages.

1. Hard code access key/secret key in cloud-init script.

   Problem: This is not secure.

2. Create IAM role, then refer access key, secret key from instance meta data.

   Problem: Access key will expires in a certain period. So I need to restart REX-Ray daemon process, which causes service temporary unavailable.

Please tell me which is better way to refer access key/secret key, or another way if it exists.

Thanks in advance.

Answer 1

The docker plugin should get the credentials automatically. You don't have to do anything. Do not set any environment variables for AWS credentials.

AWS CLI / AWS SDK will get the credentials automatically from the meta data server.

Answer 2

You can use the following method of authentication

Environment variables

Export both access and secret keys in environment environment as follow:

$ export AWS_ACCESS_KEY_ID="anaccesskey"
$ export AWS_SECRET_ACCESS_KEY="asecretkey"

Shared Credential file

You can use an AWS credentials file to specify your credentials. The default location is $HOME/.aws/credentials on Linux and OS X, or "%USERPROFILE%.aws\credentials" for Windows users. If terraform fail to detect credentials inline, or in the environment, Terraform will check this location

You can optionally specify a different location in the configuration by providing the shared_credentials_file attribute as follow

provider "aws" {
  region                  = "us-west-2"
  shared_credentials_file = "/Users/tf_user/.aws/creds"
  profile                 = "customprofile"
}

https://www.terraform.io/docs/providers/aws/