aws 2021-08-14 | Slack Archive

jjttjj18:08:41

I can use instance profiles so that, for example, the aws-api library wont need to be passed credentials because it uses this chain to check for credentials https://docs.aws.amazon.com/sdk-for-java/v1/developer-guide/credentials.html Does anyone know if there's a way to use the aws CLI tools like this, avoiding explicitly passing credentials to the instance?

viesti18:08:23

Seems possible https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-metadata.html

viesti18:08:14

I thought that aws cli would automatically pick up the EC2 metadata server, if present, but seems there's credential_source = Ec2InstanceMetadata option:

[profile profilename]
role_arn = arn:aws:iam::123456789012:role/rolename
credential_source = Ec2InstanceMetadata
region = region

jjttjj18:08:45

Thanks! Somehow couldn't find that

lukasz14:08:21

That's required only if you're using assume-role via CLI - EC2 instance can also assume a role automatically and expose credentials via the metadata endpoint without ~/.aws/config file

👍 3

dabrazhe10:08:40

The right practice would be to use the instance profile and add the policies that allow access to the resources your cli command need. There should not be a need to use the --profile option, if done right

👍 3

2021-08-14

Channels