Support for IAM roles?

Bug #1316602 reported by justinsb on 2014-05-06
16
This bug affects 3 people
Affects Status Importance Assigned to Milestone
juju
High
Unassigned
juju-core
Low
Unassigned

Bug Description

Is there any way Juju could support IAM roles with the EC2 provider, rather than requiring the user to copy and paste their credentials?

I believe that the IAM credentials expire/rotate automatically, so we wouldn't be able to simply copy them to any launched instances, rather they would also have to be launched into an IAM role. I imagine the role would be specified in the configuration (or we could check for the existing of a well-known default role e.g. juju) This would still be much easier, IMHO, than pasting in the credentials.

You can certainly create an IAM account and use the credentials there. I've
done that for several people to enable them to use a shared account. But
each IAM account has its own EC2 secret key and access key.
You could argue that it would be nice to support EC2 username+password,
which could then lookup the associated secret key and access key.

I haven't seen anything about IAM credentials expiring automatically,
perhaps you can configure them to do so, but it isn't a required feature of
IAM.

On Tue, May 6, 2014 at 5:25 PM, justinsb <email address hidden> wrote:

> Public bug reported:
>
> Is there any way Juju could support IAM roles with the EC2 provider,
> rather than requiring the user to copy and paste their credentials?
>
> I believe that the IAM credentials expire/rotate automatically, so we
> wouldn't be able to simply copy them to any launched instances, rather
> they would also have to be launched into an IAM role. I imagine the
> role would be specified in the configuration (or we could check for the
> existing of a well-known default role e.g. juju) This would still be
> much easier, IMHO, than pasting in the credentials.
>
> ** Affects: juju-core
> Importance: Undecided
> Status: New
>
> --
> You received this bug notification because you are subscribed to juju-
> core.
> https://bugs.launchpad.net/bugs/1316602
>
> Title:
> Support for IAM roles?
>
> To manage notifications about this bug go to:
> https://bugs.launchpad.net/juju-core/+bug/1316602/+subscriptions
>

Curtis Hovey (sinzui) on 2014-05-06
Changed in juju-core:
status: New → Triaged
importance: Undecided → Low
tags: added: ec2-provider feature
justinsb (justin-fathomdb) wrote :

Thanks for the quick reply. Sorry I wasn't particularly clear. IAM roles for EC2 instances are different (I think) from 'normal' IAM users. I'm probably using the wrong terminology...

IAM roles are a nice trick that means that EC2 manages the access-key / secret-key for you, and exposes them to the instance over the EC2 metadata service:
http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-roles-for-amazon-ec2.html

With this set up, you don't have to manage the credentials: Boto / the AWS SDK / the AWS CLI etc will all just pick them up automatically.

Kapil Thangavelu (hazmat) wrote :

this is per aws best practices, and is required in many environments, as long running credentials are considered an attack vector. The alternative is some notion of replacing credentials. iam credentials are time limited to 1hr, though most of the sdks support transparent rotation.

Changed in juju-core:
status: Triaged → Won't Fix
Shibo (obviouslygreen) wrote :

Any reason this is being listed as won't fix? As Kapail mentioned, it is best practices to use iam roles. It seems like most people are using awscli or something similar to attach the role after the fact, but juju support would be super nice.

Richard Harding (rharding) wrote :

+Shibo, this is won't fix because it's on the juju-core project which represents the outdated 1.2x line of Juju. When 2.0 came out the juju project was used to help make a break from old vs new bugs and work to track. It's definitely something we need to do in Juju but it's not something we'll look to add to the older 1.25 release that's in critical fixes only.

Shibo (obviouslygreen) wrote :

I see, thanks for the information!

Hagen Kuehn (hag-k) wrote :

@Richard, I understand from your previous response that this particular 'bug' is set to 'Won't Fix' due to it being filled against an older version of Juju.

You also mentioned that this is 'definitely something we need to do in Juju' but I cannot find a corresponding ticket for a newer version of Juju either.

If there is not a ticket yet, let me know and I will create one!?

BTW, I am currently evaluating Juju and it not supporting AWS 'assume-role' is actually a deal breaker for us.

I don't really know the internals of Juju but would happily look into writing a PR for such feature if you could point me the source code that currently sends the credentials to AWS. I have previously implemented Security Token Service (STS) assume-role with two other Python and Golang based applications.

John A Meinel (jameinel) on 2018-02-15
Changed in juju:
status: New → Triaged
importance: Undecided → High
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers