2

I added a user "Snapshotter" to my AWS account (via IAM) with permission just to ebs:CreateSnapshot.

On one of my instances I want to have a script that periodically created a snapshot, but without storing on that instance any credentials or certificates that allow more permissive access to the account or to other EC2 commands.

How do I achieve that?

In the IAM I can get the "secret access key" and the "access key ID" for the Snapshotter user, but it appears like the private key and X509 certificates are only for the entire account and hence would entail full access. 

$ ec2-create-snapshot -h
  SYNOPSIS
     ec2addsnap ([ec2-create-snapshot])
     ec2addsnap [GENERAL OPTIONS] -d DESCRIPTION VOLUME
...

  GENERAL OPTIONS

     -K, --private-key KEY
          Specify KEY as the private key to use. Defaults to the value of the
          EC2_PRIVATE_KEY environment variable (if set). Overrides the default.

     -C, --cert CERT
          Specify CERT as the X509 certificate to use. Defaults to the value 
          of the EC2_CERT environment variable (if set). Overrides the default.
GJ.
  • 529
  • 1
  • 7
  • 21
  • 1
    @GJ With IAM, AWS allows you to associate your own private keys and x509 certs with a specific IAM users. For example. Create a pk and x509 cert using openssl and then upload a copy of the cert file to Amazon (via either the ec2 web console or api). Then bake that pk and cert file into the ami you use or load the pk and cert file into the instance via user-data during boot-up (both are insecure, but via user-data is less secure than baking the key & cert into the ami). You will then be able to run EC2 cli commands from the instance. – AlanZ Sep 07 '11 at 23:43

1 Answers1

3

One option is to invoke the ec2-create-snapshot API call using the REST interface instead of the SOAP interface. This lets you use the "access key ID" and "secret access key" instead of the x509 cert/pk.

I have written a command line program named ec2-consistent-snapshot which uses the ec2-create-snapshot REST API.

http://alestic.com/2009/09/ec2-consistent-snapshot

If you don't use any of the command line options that trigger the "consistent" aspect of creating the snapshot, then it is basically the same as the ec2-create-snapshot command line (except that it runs ten times faster).

Here's an article I wrote which has step-by-step instructions for using IAM with ec2-consistent-snapshot to do exactly what you're trying to do:

Improving Security on EC2 With AWS Identity and Access Management (IAM)
http://alestic.com/2010/09/aws-iam

I have set up an Ubuntu PPA for easy installation of ec2-consistent-snapshot and its dependencies. Other distros will require a bit more work, but it's just a script written in Perl, so it is highly portable.

I'm also in the process of moving the master source for ec2-consistent-snapshot from bazaar to github to make it easier for folks to review and fork.

Eric Hammond
  • 11,163
  • 1
  • 36
  • 56