I assume you already knew what the EC2 instance profile is. Basically, the instance profile defines the permissions that a EC instance has. As it is associated with an IAM role which has a bunch of IAM policies attached. And the AWS credential in the EC2 metadata is automatically rotated by the instance profile.
In a hybrid environment (e.g on-prem + AWS cloud), it is not uncommon to run some AWS related tasks from on-prem servers (e.g deploy Cloudformation stack from on-prem Bamboo server). How do you normally manage the AWS credentials on those on-prem servers? The common practice that I have seen is to use either IAM user’s credential or service account to assume IAM role (federated access). But it looks to me, neither is ideal. As there is still an overhead to manage the IAM user or the service account (e.g rotate the password). I was wondering if it is possible to setup the instance profile for the on-prem servers?
Setup a CodeBuild project in AWS which does two things: assume a least privilege role then pass the credential to the on-prem server via Ansible per schedule. e.g updating the content of the file ~/.aws/credential.
"AccessKeyId": "an AWS access key",
"SecretAccessKey": "your AWS secret access key",
"SessionToken": "the AWS session token for temporary credentials",
"Expiration": "ISO8601 timestamp when the credentials expire"
Setup a dynamic AWS profile in the on-prem server. e.g ~/.aws/credential
And the solution worked great! We migrated the 2T data without any issues. The use case of the pattern can be much wider. e.g Rotate the credential for on-prem Bamboo agents.
The above “Instance Profile” for on-prem servers solution is still not easy enough, e.g the port 22 has to be open between On-prem and the VPC to allow Ansible to ssh into the on-prem box.
Let’s name above version 1. I recently worked out the version 2, which is easier and more powerful by using Lambda, SSM managed instance and SSM Run Command. The idea is still the same, but the implementation is better – Use Lamba to assume the role, then pass it to the SSM managed instance (mi-* Setting up AWS Systems Manager for hybrid environments) via SSM run command. Obviously, the benefits are less management overhead, and it can apply to multiple instances based on tagging.
Here is the sample Lambda function.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
One thought on “Setup AWS “Instance Profile” for on-prem servers”