amazon web services - AWS IAM Instance Profile to Administer EC2 Instances With that Profile -


i have iam user launches cloudformation stack containing - ec2 instance - iam instance profile associated - iam role

in aws::cloudformation::init block, ec2 instance performs actions require call ec2:* api actions. however, instance should able call these actions instance itself.

the user launches stack has permission attach set of predefined policies , create roles. this

"cloudformationstacklauncher": {   "type": "aws::iam::managedpolicy",   "properties": {     "description": "allows attached entity attach , detach required policies roles creates.",     "policydocument": {       "version": "2012-10-17",       "statement": [         {           "effect": "allow",           "action": [             "iam:attachrolepolicy",             "iam:detachrolepolicy"           ],           "resource": "*",           "condition": {             "arnequals": {               "iam:policyarn": [                 "arn:aws:iam:::policy/instancethatcanmanageitself",                                   ]             }           }         },         {           "effect": "allow",           "action": [             "iam:createrole"           ],           "resource": "*"         }       ]     }   } }

so need definition policy instancethatcanmanageitself (which needs defined ahead of time user full admin permissions). ideally, like:

    {         "effect": "allow",         "action": [             "ec2:*"         ],         "resource": [             "${ec2:sourceinstancearn}"         ]     }

but says policy isn't valid because policy variable ec2:sourceinstancearn isn't in format of valid arn. i've tried using tags on ec2 instance , adding conditions policy, doesn't seem work when condition dynamic, this:

   {         "effect": "allow",         "action": [             "ec2:*"         ],         "resource": [             "*"         ],         "condition": {             "stringlike": {                 "ec2:resourcetag/role" : "${aws:userid}"             }         }     }

in above, i'm dynamically adding tag launched ec2 instance format "roleid:instanceid" defined value specified {aws:userid}, based on description here: http://docs.aws.amazon.com/iam/latest/userguide/reference_policies_variables.html. approach validates, doesn't work...either because it's dynamic...or because action types aren't supports resourcetag context key maybe...

is there way accomplish this?

thanks.

resource tag-based authorizations work operations. see, example: ec2 supported iam actions. example, describe operations not supported , have permissioned via separate policy statement.
example of operations support resource tags, attaching/detaching volumes (see same link above supported operations , requirements), following policy work:

{ "version": "2012-10-17", "statement": [             {         "effect": "allow",         "action": [             "ec2:attachvolume",             "ec2:detachvolume"         ],         "resource": "*",         "condition": {             "stringlike": {                 "ec2:resourcetag/policyuser": "${aws:userid}"             }         }     } ] }

, provided both volume , ec2 instance tagged tag 'policyuser' , value equal role-id:ec2-instance-id (see iam user guide reference policy variables), role-id unique identifier of role, obtained via e.g. 

aws iam get-role --role-name rolename

-

Popular posts from this blog

Apache NiFi ExecuteScript: Groovy script to replace Json values via a mapping file -

i working apache nifi 0.5.1 on groovy script replace incoming json values ones contained in mapping file. mapping file looks (it simple .txt): header1;header2;header3 a;some text;a2 i have started following: import groovy.json.jsonbuilder import groovy.json.jsonslurper import java.nio.charset.standardcharsets def flowfile = session.get(); if (flowfile == null) { return; } flowfile = session.write(flowfile, { inputstream, outputstream -> def content = """ { "field1": "a" "field2": "a", "field3": "a" }""" def slurped = new jsonslurper().parsetext(content) def builder = new jsonbuilder(slurped) builder.content.field1 = "a" builder.content.field2 = "some text" builder.content.field3 = "a2" outputstream.write(builder.toprettystring().ge...
Read more

node.js - How do I prevent MongoDB replica set from querying the primary? -

read-operations-only: is there way have mongodb replica set, make mongodb instance on box connected to, mongodb gets queried? i have 3 ec2 instances behind aws load balancer. on each ec2 instance runs mongodb, part of replica set. i have express endpoints on nodejs , connect replica set follows mongodb.mongoclient.connect('mongodb://1.1.1.1,2.2.2.2,3.3.3.3.', function (err, db) { if (err) { complete('{}'); } else { i distribute load of queries evenly across 3 instances of mongodb replica set instead of default having queries routed ec2 instance primary mongodb defined, because destroys point of load balancer (which balance load of queries across 3 instances evenly). my understanding when connecting mongodb replica set, primary instance selected unless primary instance down, , therefore purpose of every secondary instance serve backup. in example people call hot,cold,cold. because there 2...
Read more