Reputation: 14550
How to manage permissions of EC2 instance profile?
when deploying java app on EC2 i can just use
new ProfileCredentialsProvider()
to inject some instance credentials. but which IAM user will it be? how can i manage permissions of that user? for example to limit his rights to some specific S3 bucket
Upvotes: 2
Views: 657
Answers (2)
Reputation: 26031
Mark B is 100% correct about EC2 Instance Profiles. Quick aside -- the Java ProfileCredentialsProvider refers to the credentials profile available to AWS SDKs and the AWS CLI rather than the EC2 instance profiles. From its documentation:
Credentials provider based on AWS configuration profiles. This provider vends AWSCredentials from the profile configuration file for the default profile, or for a specific, named profile.
AWS credential profiles allow you to share multiple sets of AWS security credentials between different tools like the AWS SDK for Java and the AWS CLI.
This isn't desirable for deployment to EC2 because it means you have to store your configuration profile on the EC2 instance. Per Mark B's answer, EC2 instance profiles are preferable for passing credentials to applications on EC2.
To be able to retrieve either without further code changes, simply use the DefaultAWSCredentialsProviderChain (note: renamed DefaultCredentialsProvider in AWS SDK for Java v2), which will fall through several credentials schemes until it finds a valid one on your system. Per the documentation, it looks for credentials in this order:
Java System Properties - aws.accessKeyId and aws.secretKey
Environment Variables - AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY
Credential profiles file at the default location (~/.aws/credentials) shared by all AWS SDKs and the AWS CLI
Credentials delivered through the Amazon EC2 container service if AWS_CONTAINER_CREDENTIALS_RELATIVE_URI" environment variable is set and security manager has permission to access the variable.
Instance profile credentials delivered through the Amazon EC2 metadata service
This will allow you to look for credential profiles in your local development environment, and EC2 Instance Profiles in your production EC2 environment.
Further Reading
- AWS Documentation - Using Instance Profiles
- AWS Documentation - Working with AWS Credentials - Note this documentation is for the AWS SDK for Java 2.0 preview
Upvotes: 2
Reputation: 201018
It isn't an IAM user, it is an EC2 Instance Profile. First you have to create the Instance Profile in your account, just like you have to create IAM users. You would manage the rights of the EC2 instance profile exactly how you would manage the rights of an IAM user, by assigning the appropriate IAM security Policies to the Instance Profile.
Upvotes: 1
Related Questions
- IAM Roles and instance profile
- How to assign IAM role to users or groups
- AWS IAM Instance Profile to Administer EC2 Instances With that Profile
- EC2 user permissions
- AWS IAM Policy grant permissions for some EC2 instances
- EC2 instance profile policy creation
- How to create aws role with permission using java sdk?
- Managing AWS IAM Pass Role Permissions
- AWS Java SDK: AssumeRole from EC2 instance profile?
- AWS IAM user role or policy self contained