2

I have a requirement for a non AWS host to perform a scheduled scripted task with an S3 bucket. I have this working as expected with access/secret access keys related to the S3 role.

This non AWS host is running centos7 and I have it registered with AWS Systems Manager as a managed instance, I am hoping to assign the S3 role to the managed instance and use "aws sts assume-role --role-arn..." to retrieve temporary access keys but getting a "InvalidClientTokenId"

Should this work as expected or is there an alternative way to run the scheduled task on the SSM Managed instance without using fixed access/secret access keys?

Relish
  • 33
  • 3

1 Answers1

0

To be honest I don’t think non-EC2 instances can have IAM Roles assigned in any reasonable way.

IAM Role credentials are supplied to the instance through the virtual metadata endpoint http://169.254.169.254 which isn’t available from on-prem hosts.

I’m afraid you’ll have to manage access/secret keys for the host. Maybe SSM with Parameter Store can help?

Hope that helps :)

MLu
  • 24,849
  • 5
  • 59
  • 86
  • Thanks. I wonder if a lambda script with the assigned role could perform a Run-command on the managed instance and pass temporary credentials as an object or parameters. – Relish Oct 20 '18 at 12:50
  • @Relish I guess that could work. You’ll have to run the lambda every few hours to refresh the credentials. CloudWatch Events Rule can help with the scheduling. – MLu Oct 20 '18 at 19:24