If you enjoyed Managing Your AWS Credentials (Parts 1 and 2), I recommend that you check out Shlomo Swidler's latest blog post. It builds on the foundational information in Parts 1 and 2 but then covers a lot of new ground and proposes some very workable approaches to managing credentials on EC2 instances. Very useful.
Yeah, I know I could have just tweeted this but sometimes it feels good to type more than 140 characters.
Thanks for your articles Mitch, they were the inspiration for my post. I plan to follow up with tools to help implement some of the ideas, and hopefully a "proxy EC2" service that allows you to distribute credentials that you create yourself, manage permissions, revoke authorizations, etc.... That is, as soon as I can get JiBX or some other WSDL-parsing-code-generator to generate both a client and a server proxy "siamese-twinned" together in the same service....
ReplyDeleteI like the idea of the proxy service. It seems like it should be possible to implement a proxy in a fairly generic way but it would, of course, have to understand the basic structure of requests and how to re-sign them with the real AWS credentials to send on to the AWS service.
ReplyDeleteMy approach to this situation was to make single-use URLs that could mask secure S3 URLs. The "transient" URL would be passed into the instance as user-data, and then wget/curl would blindly retrieve the file from S3 without ever exposing the S3 URL. After the transient URL was accessed it would disappear forever.
ReplyDeleteThere are issues with this of course, but it seems to suite my needs.
http://turl.mumrah.net/
http://github.com/mumrah/TransientURL/tree/master
-David