Project

General

Profile

Feature #16191

EC2 IAM Role should be a VM setting rather than image setting

Added by Tommy McNeely about 3 years ago. Updated 11 months ago.

Status:
New
Priority:
Normal
Assignee:
-
Category:
Compute resources - EC2
Target version:
-
Difficulty:
Triaged:
No
Bugzilla link:
Pull request:
Team Backlog:
Fixed in Releases:
Found in Releases:

Description

Setting the IAM role as an attribute of the "image" means that you can only have "one" role. If you want to separate your "staging" from your "production" roles (for example), you have to use a different AMI because you cannot have two images with the same AMI. Also, you cannot "set" the value at host creation time. You can only chose an OS image, which has it attached, which is fairly limiting.

http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_switch-role-ec2.html

.. this may involve "instance profiles" -- http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_switch-role-ec2_instance-profiles.html

~tommy


Related issues

Related to Foreman - Feature #17286: using IAM role when querying AWS APINew2016-11-09

History

#1 Updated by Daniel Lobato Garcia about 3 years ago

  • Tracker changed from Bug to Feature

#2 Updated by Dominic Cleal about 3 years ago

  • Category set to Compute resources - EC2

#3 Updated by Dominic Cleal almost 3 years ago

  • Related to Feature #17286: using IAM role when querying AWS API added

#4 Updated by Tommy McNeely 11 months ago

I was asked to clarify this request. It has been a couple years since I filed it, but here is my best recollection...

We have a customer using IAM Roles, which assign dynamic IAM credentials to machines rather than having to manually create credentials and copy and paste them into a configuration.

The IAM Role setting is currently configured at the image level, which means where you associate the os version to the ami-xxxxxxxx ID. This setting needs to be configurable at the instance level instead of image level. I don't have a problem with being able to set a "default" IAM role at the image level, for a shop with low security requirements, but we cannot have the same role assigned to all instances.

Also available in: Atom PDF