问题
I am exploring IAM Roles. I am wondering how roles can be accessed on behalf of a user on EC2.
Any help is highly appreciated.
Thanks
回答1:
You usually do not have to do anything special after launching an EC2 instance with an IAM Role for Amazon EC2 (I figure from your duplicate questions, that you've already done this), conceptually all you have to do are the following steps:
- create an IAM role for EC2
- configure IAM policies for that role to match your use case
- launch an EC2 isntance with your IAM role
- use IAM role aware tools, which will pick up the credentials from the role automatically
Let me stress the last aspect again: you do not need to do anything but configure the required IAM credentials on the role and IAM role aware tools will pick the resulting credentials up automatically from the EC2 instance metadata!
- If you really must (but you shouldn't, see next paragraph), you could do the same yourself as explained in Retrieving Security Credentials from Instance Metadata.
In particular, you should use AWS only by one of the following means for everything but highly special use cases:
Command Line Usage
- Unix/Linux/Windows - use the AWS Command Line Interface, which is a unified tool to manage your AWS services.
- see Option #3 within AWS Credentials regarding the IAM role support
- Windows only - use the AWS Tools for Windows PowerShell , which lets developers and administrators manage their AWS services from the Windows PowerShell scripting environment.
- see section IAM Roles for EC2 Instances and the AWS Tools for Windows PowerShell within AWS Credentials regarding the IAM role support
Programmatic Usage
Use the appropriate AWS SDK for your language of choice, see Tools for Amazon Web Services for an extensive listing of what's available.
- see each SDK's documentation for details regarding the IAM role support (again, it will just work once you have implemented steps 1-3 above correctly).
来源:https://stackoverflow.com/questions/21753372/how-can-i-create-iam-roles-for-amazon-ec2