I have a shell script that runs as part of a CloudFormation template for each new EC2 instance created in AWS account "A". As part of that script I'd like to create a new IAM role in a different AWS account, AWS account "B" (always the same account). I can write a script with the commands to do that, but how do I manage the credentials to account "B"? I want to get the credentials when the script starts, run the aws commands and then remove any trace of credentials. I don't want the end users of those EC2 instances to have access to, or know, those credentials. And obviously not hardcode them nor place a credentials file somewhere publicly accessible. This script will be public.
Asked
Active
Viewed 161 times
0
elatedgoat
- 11
- 3
-
Have you tried attaching an IAM role to the instance? – jellycsc Nov 01 '22 at 19:57
-
No. But I do not want that role usable while the instance is running. Only for the initial setup that the shell script does. – elatedgoat Nov 01 '22 at 21:05
1 Answers
1
You probably can't achieve this goal solely from within the instance. Any credentials or information that is made available to the startup script (eg via an IAM Role or AWS Secrets Manager) will also be available and accessible after the script completes.
One option would be to place the credentials in an Amazon S3 object and then have the startup script read the object and then delete the object. That way, it is not repeatable.
Alternatively, an AWS Lambda function could be triggered as part of the launch (either by the script or as a result of an event triggered by the launch) and that function could be responsible for creating the IAM Role in Account B. This way, the logic and permissions are external to the EC2 instance.
John Rotenstein
- 241,921
- 22
- 380
- 470
-
That is an interesting idea. I'll have to look into using the Lambda function in this case that would be outside the users environment. – elatedgoat Nov 02 '22 at 04:14