Amazon AWS SDK Manual do Utilizador descarregar pdf (Página 13)

• Walkthrough: Using IAM Roles to Retrieve an Amazon S3 Object from an EC2 Instance (p. 11)

Using IAM Roles for EC2 Instances to Manage

Your Credentials

You can use the AWS Management Console to create an IAM role and configure it with the permissions

that your software requires. Permissions for IAM roles are specified in a way similar to permissions for

IAM users. For more information, see IAM Users and Groups in Using IAM.

Amazon EC2 instances support the concept of an instance profile, which is a logical container for the

IAM role.When you launch an EC2 instance, you can associate the instance with an instance profile that

corresponds to the IAM role. Any software that runs on the EC2 instance is able to access AWS using

the permissions associated with the IAM role.

Note

If you're using the AWS Management Console, you don't need to worry about instance profiles.

The IAM console creates one for you in the background whenever you create an IAM role.

To use the permissions associated with the IAM role, the software constructs a client object for an AWS

service, such as Amazon Simple Storage Service (Amazon S3), using an overload of the constructor that

does not take any parameters.When this parameterless constructor executes, it searches the "credentials

provider chain." The credentials provider chain is the set of places where the constructor will attempt to

find credentials if they are not specified explicitly as parameters. For Ruby, the credentials provider chain

is:

• Static credentials provided to the AWS.config method. For example:

AWS.config(:access_key_id => '...', :secret_access_key => '...')

• Environment variables with an 'AWS' prefix: ENV['AWS_ACCESS_KEY'] and

ENV['AWS_SECRET_ACCESS_KEY']

• Environment variables with an 'AMAZON' prefix: ENV['AMAZON_ACCESS_KEY'] and

ENV['AMAZON_SECRET_ACCESS_KEY']

• Instance Metadata Service, which provides the credentials associated with the IAM role for the EC2

instance

If the client constructor does not find credentials in AWS.config, or in the environment, it retrieves

temporary credentials that have the same permissions as those associated with the IAM role.The

credentials are retrieved from the Instance Metadata Service (IMDS).

The credentials are stored by the constructor on behalf of the application software and are used to make

calls to AWS from the client object. Although the credentials are temporary and eventually expire, the

SDK client periodically refreshes them so that they continue to enable access.This periodic refresh is

completely transparent to the application software.

You can have the SDK automatically use IAM role credentials from the IMDS by specifying the following

line in your program:

AWS.config(:credential_provider => AWS::Core::CredentialProviders::EC2Pro

vider.new)

If the client constructor is not able to obtain credentials from the IMDS, or any of the earlier stages in the

credentials provider chain, then it throws an AmazonClientException.

Version v1.0.0

AWS SDK for Ruby Developer Guide

Using IAM Roles for EC2 Instances to Manage Your

Credentials

1 2 ... 8 9 10 11 12 13 14 15 16 17 18 ... 25 26

Comentários a estes Manuais

Sem comentários

Amazon AWS SDK Manual do Utilizador Página 13

Comentários a estes Manuais

Manuais e produtos relacionados com Software Amazon AWS SDK