如何使用 cloudinit(安全地)将私有 S3 资产下载到新的 EC2 实例上? [英] How can I (securely) download a private S3 asset onto a new EC2 instance with cloudinit?
问题描述
我正在使用 CloudFormation 来管理 Tomcat 网络服务器堆栈,但我厌倦了为新应用程序版本进行原始 AMI 管理.我想向厨师的方向发展,但现在没有时间.相反,我试图解决网络服务器实例化中的一个简单问题:当新机器启动时,我如何下载当前"WAR?
I'm using CloudFormation to manage a Tomcat webserver stack but am tired of doing raw AMI management for new application versions. I'd like to move in the direction of Chef but don't have the time right now. Instead, I'm trying to conquer a simple problem in webserver instantiation: How can I download a "current" WAR when new machines spin-up?
我的想法是使用私有 S3 存储桶和 cloudinit,但我对如何处理 IAM 凭证感到有些困惑.我可以将它们放在模板的用户数据中,但我不愿意这样做,特别是因为我要控制该文件的版本.我能想到的唯一替代方法是在 AMI 本身中使用环境变量.它们必须是纯文本的,但是......呃,如果你能闯入我的实例,你可以压缩并下载我的整个网络服务器.只要 IAM 用户不被重用于其他任何事情并且定期轮换,这似乎是解决问题的合理方法.我错过了什么吗?如何使用 cloudinit 安全下载私有 S3 资产?
My thought was to utilize a private S3 bucket and cloudinit, but I'm a little stumped by what to do with IAM credentials. I could put them in the template's user data, but I'm loathe to do so, particularly because I'm version controlling that file. The only alternative I can think of is to use environment variables in the AMI itself. They'd have to be plaintext, but... eh, if you can break into my instance, you could zip up and download my entire webserver. As long as the IAM user isn't reused for anything else and is rotated regularly, it seems like a reasonable way to solve the problem. Am I missing anything? How can I securely download a private S3 asset using cloudinit?
推荐答案
Amazon 最近宣布了一项新功能,您可以在其中为 EC2 实例提供IAM 角色".这使得允许特定实例具有读取特定 S3 资源的权限变得相当容易.
Amazon recently announced a new feature where you can give "IAM roles" to your EC2 instances. This makes it fairly easy to allow specific instances to have permission to read specific S3 resources.
这是他们宣布新功能的博客文章:
Here's their blog post announcing the new feature:
这是 EC2 文档中的部分:
Here's the section in the EC2 documentation:
以下是 IAM 文档中的部分:
Here's the section in the IAM documentation:
http://docs.amazonwebservices.com/IAM/latest/UserGuide/WorkingWithRoles.html
IAM 角色通过 HTTP 向实例提供凭证,因此在实例上运行的任何用户或进程都可以看到它们.
IAM roles make the credentials available to the instance through HTTP, so any users or processes running on the instance can see them.
这篇关于如何使用 cloudinit(安全地)将私有 S3 资产下载到新的 EC2 实例上?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
