AWS credentials for EC2 auto-discovery

4
votes

According to Hazelcast manual, in order to use EC2 auto-discovery, AWS credentials need to be provided in the config file. Instead of using long-term access keys, is there a way for Hazelcast to retrieve temporary credentials, when hosted on EC2 instance launched in IAM role (per AWS best practice "Use Temporary Security Credentials (IAM Roles) Instead of Long-Term Access Keys")

2
amazon-web-servicesamazon-ec2hazelcast

2 Answers

4
votes

It took me a while to find the right information when I did it. And honestly explicitly specifying IP addresses works just as well, unless your cluster consists of hundreds of nodes to type all of them manually.

Specifying the AWS tag name/value pair is optional. I am a little paranoid I may join another cluster by mistake and it is always better to explicitly create a resource (server) group like that.

First you need to create an IAM user with minimal permissions required by Hazelcast. Obviously you don't want to use your root user credentials for that.

Use AWS Console. It is in your user name dropdown (where Account Settings are) in the top-right corner. Click on Security Credentials, then Groups. Create a group with the following policy:

{
  "Version": "xxxxxxx",
  "Statement": [
    {
      "Sid": "xxxxxx",
      "Effect": "Allow",
      "Action": [
        "ec2:DescribeInstances"
      ],
      "Resource": [
        "*"
      ]
    }
  ]
}

As you can see, the only permission, Hazelcast needs is "DescribeInstances". I found it by accident - deep inside one of Fuad Malikov's Q&A threads.

The rest is trivial. Create an IAM user e.g. "hazelcast" with that security group, and download (export) its credentials, which you should put in your Hazelcast config as show below. I am using Spring, however there is one to one mapping to the classic Hazelcast config file. Or you can set those properties programmatically - which Spring essentially does for me.

<property name="properties">
  <props>
      <prop key="hazelcast.icmp.enabled">true</prop>
  </props>
</property>
<property name="join">
    <bean class="com.hazelcast.config.JoinConfig">
        <property name="multicastConfig">
            <bean class="com.hazelcast.config.MulticastConfig">
                <property name="enabled" value="false"/>
            </bean>
        </property>
        <property name="tcpIpConfig">
            <bean class="com.hazelcast.config.TcpIpConfig">
                <property name="enabled" value="false"/>
            </bean>    
        </property>
        <property name="awsConfig">
            <bean class="com.hazelcast.config.AwsConfig">
                <property name="enabled" value="true"/>
                <property name="region" value="us-west-2"/>
                <property name="accessKey" value="zzzzzzz"/>
                <property name="secretKey" value="yyyyyyy"/>
                <property name="tagKey" value="your-instance-tag-key"/>
                <property name="tagValue" value="your-instance-tag-value"/>
            </bean>
        </property>
</property>
1
votes

Currently Hazelcast does not yet support IAM roles authentication but this is planned to be implemented once the new discovery SPI is in place.