Detect EC2 role with AWS PHP SDK?

Question

I have as php library I wrote to help with working along side Amazon Web Services. It was built to either look for the default $HOME/.aws/credentials (or be pointed to a similar format file) or to look for the key and secret in the environment before proceeding.

We are now going to be running it on an EC2 and I was shown how you can use roles in conjunction with the EC2 to get and keep much better control on what the server code can and can't do. But I need to modify my code to be able to know when it has proper permissions before proceeding and I don't see anywhere in the docs on assigning an EC2 instance a given role how you know in the SDK that it has the permissions of that role.

Is there some way once I instantiate the SDK to ask something akin to 'hasRole' or 'getRoleArn' or something like that?

Answer 1

SDKs are mapped directly to API calls. So if you know what cli command to call, it makes it much easier to google. So you want the aws sts get-caller-identity most likely.

Doing a google for "PHP sts sdk aws" is then the search you would do. And then you would wind up on this page.

So that way is using the SDK. There are a couple of other ways as well. As you are using ec2 you can use instance meta-data as well.

On another note I do think you should be careful though with leaking the AWS role into your application code. It probably makes more sense to use user identity context, such as with Cogito, and then use different groups with different permission sets. The role on the actual ec2 instance shouldn't be changing (unless you do a re-deploy), so there is no need for your code to check something that won't change during the normal running of the application. You could simply use an environment variable to convey whatever configuration you want to your application.

aws sts get-caller-identity --query 'Arn'
arn:aws:iam::1232412321:role/YourRole