Should use instance role permissions instead of access keys
preflightsiren opened this issue · 6 comments
it'd be great if we didn't need to provide access key's in the config, and instead utilise amazons ec2 instance profile - http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-roles-for-amazon-ec2.html
+1
+1
I see what you mean, but at the moment I'm running this script on 1 server outside AWS for many different customers, each customer has it's own config. Also the developement of the script has been put on hold for a while because we made a newer version with a GUI and also multiple schedules, rententions and authorizations. This is a product of Oblivion Cloud Control (http://oblcc.com)
But I will make some small updates to this script in the near future.
I agree - this would be a really good feature to have for security.
Has anyone tried using assume-role and snapshoting multiple aws accounts using this method? I noticed the config.py mentions, "(alternatively can be set up as environment variables)", but how do I set it up as environment variables? I tried assume-role, parsing out the information then assigning to $aws_access_key and $aws_secret_key, but it ran the snapshot in the aws environment where the aws-snapshot-tool is installed.
I have the trust setup between the two aws accounts. I want run across multiple aws accounts so I don't have to run a single instance in each aws account just for backups and it wouldn't be helpful to setup the aws-snapshot-tool on a different server in each environment.
For me, the solution was to change the config to
'aws_access_key': False,
'aws_secret_key': False,
and upgrade Boto to at least version 2.5.1 (pip install -U boto==2.5.1).
What will happen is that Boto will automatically find your IAM instance profile and use it for authentication. No credentials needed!