How to download an EC2 X.509 certificate with an IAM User account?

北战南征 提交于 2019-11-30 04:13:57

问题


Through the AWS Identity and Access Management, I have a user account to the AWS account of my CTO (who is credited with some money).

I wanted to use this IAM user account to set up my own instances to ssh to it and run some BeautifulSoup python scripts.

However, following this tutorial, when arriving to the part where I need to go on the Security Credentials page, I can't access this page and I'm told I do not have the authorization to view it.

I checked my permissions with the IAM Manager, and I have administration rights, the highest possible clearance (so it seems to me).

What can I do to get this X.509 certificate ?


回答1:


Preface

First and foremost, you might want to reconsider whether you actually need these X.509 certificates - the tutorial is correct in principle:

There are three types: access keys, X.509 certificates and key pairs. The first and second type allow you to connect to the Amazon APIs. Which type of credential depends on which API and tool you are using. Some APIs and tools support both options, whereas others support just one.

However, nowadays most modern APIs and tools are interacting with AWS by means of access keys only rather than X.509 certificates.

Unfortunately this is not the case for the EC2 API Tools the tutorial is based on though, which indeed require the use X.509 certificates due to being (mostly) based on the older EC2 SOAP API still.

Update: The EC2 API Tools meanwhile support AWS access keys as well and deprecated using X.509 certificates accordingly:

Although we don’t encourage it, for a limited time you can still use EC2_PRIVATE_KEY and EC2_CERT instead of AWS_ACCESS_KEY and AWS_SECRET_KEY. For more information, see Deprecated Options in Common Options for API Tools in the Amazon Elastic Compute Cloud CLI Reference. If you specify both sets of credentials, the command line tools use the access key ID and secret access key.

Alternative

You might want to check out an alternative first though: If you are comfortable in Python, I'd highly recommend the excellent boto (An integrated interface to current and future infrastructural services offered by Amazon Web Services), which works just fine with access keys, offers almost the same feature set as the EC2 API tools (plus most other AWS APIs) and performs significantly faster due to targeting the newer AWS REST APIs only.

Solution

AWS Identity and Access Management (IAM) does not support accessing the actual AWS account, it only covers the AWS Management Console, and most AWS APIs of course. You'll need to sign in with the AWS account's login and password (i.e. those of the account owner) to access the Security Credentials page.

This is not recommended anymore though (see section Security Credentials within IAM Concepts):

[...] when you create an AWS account, AWS gives the AWS account its own Secret Access Key and Access Key ID by default. The AWS account can make API calls to AWS with them. We expect that you won't use those credentials on a regular basis, but will use them only to initially set up an administrators group for your organization. We recommend that all further API interaction between your AWS account and your AWS resources be at the user level (for example, using users' security credentials). [emphasis mine]

However, you can still achieve your goal by using your own certificate as outlined further down in section X.509 Certificates:

Although you can use IAM to create an access key, you can't use IAM to create a signing certificate. However, you can use free third-party tools such as OpenSSL to create the certificate. [...] After you have the signing certificate, you must upload it to IAM; [...]

How to actually do the latter is illustrated in Uploading a Signing Certificate.



来源:https://stackoverflow.com/questions/8995304/how-to-download-an-ec2-x-509-certificate-with-an-iam-user-account

易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!