Project

General

Profile

Actions

Feature #16191

closed

EC2 IAM Role should be a VM setting rather than image setting

Added by Tommy McNeely over 8 years ago. Updated over 3 years ago.

Status:
Closed
Priority:
Normal
Assignee:
-
Category:
Compute resources - EC2
Target version:
-
Difficulty:
Triaged:
No
Fixed in Releases:
Found in Releases:

Description

Setting the IAM role as an attribute of the "image" means that you can only have "one" role. If you want to separate your "staging" from your "production" roles (for example), you have to use a different AMI because you cannot have two images with the same AMI. Also, you cannot "set" the value at host creation time. You can only chose an OS image, which has it attached, which is fairly limiting.

http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_switch-role-ec2.html

.. this may involve "instance profiles" -- http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_switch-role-ec2_instance-profiles.html

~tommy


Related issues 1 (0 open1 closed)

Related to Foreman - Feature #17286: using IAM role when querying AWS APIClosedActions
Actions #1

Updated by Daniel Lobato Garcia over 8 years ago

  • Tracker changed from Bug to Feature
Actions #2

Updated by Dominic Cleal over 8 years ago

  • Category set to Compute resources - EC2
Actions #3

Updated by Dominic Cleal about 8 years ago

  • Related to Feature #17286: using IAM role when querying AWS API added
Actions #4

Updated by Tommy McNeely over 6 years ago

I was asked to clarify this request. It has been a couple years since I filed it, but here is my best recollection...

We have a customer using IAM Roles, which assign dynamic IAM credentials to machines rather than having to manually create credentials and copy and paste them into a configuration.

The IAM Role setting is currently configured at the image level, which means where you associate the os version to the ami-xxxxxxxx ID. This setting needs to be configurable at the instance level instead of image level. I don't have a problem with being able to set a "default" IAM role at the image level, for a shop with low security requirements, but we cannot have the same role assigned to all instances.

Actions #5

Updated by Amir Fefer over 3 years ago

  • Status changed from New to Closed

This won't be implemented any time soon, If it still relevant please reopen this.

Actions

Also available in: Atom PDF