CODEWITHSUNDEEP
amazon-web-servicesamazon-ec2aws-cli
Shahar Hamuzim Rajuan
Shahar Hamuzim Rajuan

Reputation: 6129

awscli default configuration credentials on ec2 server

I have an ec2 instance with a specific role, when typing the awscli command:

[TEST@JenkinsSlave ~]$ aws configure list
      Name                    Value             Type    Location
      ----                    -----             ----    --------
   profile                <not set>             None    None
access_key     ****************E25I         iam-role
secret_key     ****************Yl4d         iam-role
    region                <not set>             None    None

I can see that I have an access key and secret key which I didn't create, This is a clean amazon Linux ami with no configuration.

I thought it was the role keys but there is no such thing as assigning keys to a role, and every time I create a new server I get different keys so it looks like random keys. does anyone know how I got those credentials?

and How I can delete them from my configuration (as you can see by Location=None they are not stored in ~/.aws/)

Upvotes: 1

Views: 793

Answers (1)

guest
guest

Reputation: 901

Even if you don't have an instance role assigned, your EC2 instance does have instance-based credentials. You can see these with curl http://169.254.169.254/latest/meta-data/identity-credentials/ec2/security-credentials/ec2-instance.

However, when I run aws configure list, those credentials don't show up. It's possible that you're running an earlier or later version than I am (aws-cli/1.16.153) and the behavior has changed. You can compare the credentials from that curl request to see if they're the same.

You should verify that you don't, in fact, have an instance role set. Either check the console or use curl http://169.254.169.254/latest/meta-data/iam/ from the instance. If you don't have a role set you'll get a 404. If you do have a role set this command will show a file named info, and that file will contain the instance role information.

Edit: the only thing that I've tried that does produce the output you're seeing is to assign an instance profile to the instance.

In response to comment asking about different tokens for each machine: this is how instance profiles work. Each machine gets a time-limited set of credentials that can be used to make requests, and automatically renews those credentials as needed. This is a Good Thing, as it means that those credentials can not be taken from the machine and used to gain unauthorized access to the services.

Upvotes: 2

Related Questions