How to grant EC2 access to SQS

2
votes

The docs are very confusing to me. I have read through the SQS access docs. But what really throws me is this page: http://docs.aws.amazon.com/aws-sdk-php/v2/guide/service-sqs.html

You can provide your credential profile like in the preceding example, specify your access keys directly (via key and secret), or you can choose to omit any credential information if you are using AWS Identity and Access Management (IAM) roles for EC2 instances or credentials sourced from the AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY environment variables.

1) Regarding what I have bolded, how is that possible? I cannot find steps whereas you are able to grant EC2 instances access to SQS using IAM roles. This is very confusing.

2) Where would the aforementioned environment variables be placed? And where would you get the key and secret from?

Can someone help clarify?

1
laravelamazon-web-servicesamazon-ec2amazon-sqs

1 Answers

2
votes

There are several ways that applications can discover AWS credentials. Any software using the AWS SDK automatically looks in these locations. This includes the AWS Command-Line Interface (CLI), which is a python app that uses the AWS SDK.

Your bold words refer to #3, below:

1. Environment Variables

The SDK will look for the AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY environment variables. This is a great way to provide credentials because there is no danger of accidentally including a credentials file in github or other repositories. In Windows, use the System control panel to set the variables. In Mac/Linux, just EXPORT the variables from the shell.

The credentials are provided when IAM users are created. It would be your responsibility to put those credentials into the environment variables.

2. Local Credentials File

The SDK will look in local configuration files, such as:

  • ~/.aws/credentials
  • C:\users\awsuser\.aws\credentials

These files are great for storing user-specific credentials and can actually store multiple profiles, each with their own credentials. This is useful for switching between different environments such as Dev and Test.

The credentials are provided when IAM users are created. It would be your responsibility to put those credentials into the configuration file.

3. IAM Roles on an Amazon EC2 instance

An IAM role can be associated with an Amazon EC2 instance at launch time. Temporary credentials will then automatically be provided via the instance metadata service via the URL:

http://instance-data/latest/meta-data/iam/security-credentials/<role-name>/

This will return meta-data that contains AWS credentials, for example:

{
  "Code" : "Success",
  "LastUpdated" : "2015-08-27T05:09:23Z",
  "Type" : "AWS-HMAC",
  "AccessKeyId" : "ASIAI5OXLTT3D5NCV5MS",
  "SecretAccessKey" : "sGoHyFaVLIsjm4WszUXJfyS1TVN6bAIWIrcFrRlt",
  "Token" : "AQoDYXdzED4a4AP79/SbIPdV5N8k....lZwERog07b6rgU=",
  "Expiration" : "2015-08-27T11:11:50Z"
}

These credentials have inherit the permissions of the IAM role that was assigned when the instance was launched. They automatically rotate every 6 hours (note the Expiration in this example, approximately 6 hours after the LastUpdated time.

Applications that use the AWS SDK will automatically look at this URL to retrieve security credentials. Of course, they will only be available when running on an Amazon EC2 instance.

Credentials Provider Chain

Each particular AWS SDK (eg Java, .Net, PHP) may look for credentials in different locations. For further details, refer to the appropriate documentation, eg: