Support for IAM Roles with Amazon EC2 Instances #50

Closed
ajkerr opened this Issue Jan 31, 2013 · 7 comments

5 participants

@ajkerr

Please add built-in support for IAM Roles for EC2 instances. All of the other current Amazon SDKs (Java, PHP, Ruby, etc) support this, and it would be great to have.

Thanks!

@trevorrowe
Amazon Web Services member

This is definitely on our todo list. I can't comment on when this will get done exactly, but it is a priority.

@ndemoor

+1

If only for the security best practices of not having keys flowing around.

@cjhanks

Is there reason to not support the AWS_CONFIG_FILE export as well?

@lsegal

AWS_CONFIG_FILE is a different thing from using instance metadata, because it won't stop you from hardcoding the credentials on the machine. That said, you can always use AWS.config.loadFromPath(process.env.AWS_CONFIG_FILE) if you want this behaviour. Is AWS_CONFIG_FILE used in any other Amazon tools? If it is, it's likely that it's not in the same format as we would expect in the Node.js SDK, so supporting this out of the box might not work.

@cjhanks

It appears my terminology is wrong. I understood the features as related since there must be some hierarchy of checking for credentials, correct? Ie: Checking for IAM role, then bash export, then config file... etc. Currently I have found the aws-sdk-js to obey /only/ exports of ACCESS_KEY_ID and SECRET_ACCESS_KEY. If IAM roles were to be implemented, would it be in a different section of the code? ( config.js: 384 )

Note:
This is of consequence only because there is no afaik no standard export for region defined, however it is implementable via the CONFIG_FILE. It does not appear ruby SDK supports this feature either, so the request may not be valid.

@lsegal

If IAM roles were to be implemented, would it be in a different section of the code?

No, it would be the next check in the chain after env vars. I actually just pushed the EC2 instance metadata branch, see #78. We don't check disk in the chain though, because as you pointed out, we don't use AWS_CONFIG_FILE as a standard mechanism for loading credentials. It seems that this variable is new to the AWS CLI tool, so we could add support for this, but note that it's not in a JSON format, so that might be something Node developers might not be used to.

This is of consequence only because there is no afaik no standard export for region defined,

We have AWS_REGION for a standard region, actually. You can use that.

@lsegal lsegal closed this in 33db812 Mar 18, 2013
@lsegal

Roles on EC2 instances should now be transparently supported. Those interested in testing this out can pull down the master branch and give it a spin!

Note that we currently do not handle invalidation of expired credentials, we will be adding this before the next release, and we are tracking that specific feature as #80

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment