Can i replace aws keys with IAM role in .aws/credentials for boto3 usage?

4
votes

I tried to use the role as:

~/.aws/credentials
[default]
role_arn=arn:aws:iam::xxxxxxx:role/yyyy

but i get error:

Partial credentials found in assume-role, missing: source_profile or credential_source

so it seems IAM role cannot replace 

[default]
aws_access_key_id = AAAAAAAAAAAAAAAAAAAAAAAA
aws_secret_access_key =  BBBBBBBBBBBBBBBBBBBBBBBBBBB

since as per http://boto3.readthedocs.io/en/latest/guide/configuration.html

# In ~/.aws/credentials:
[development]
aws_access_key_id=foo
aws_access_key_id=bar

# In ~/.aws/config
[profile crossaccount]
role_arn=arn:aws:iam:...
source_profile=development

I would still have to use keys, which could be a security risk, even though not being used in the code

Is there a way to use boto3 with admin privileges without using aws API credentials?

so basically:

  1. Associate "admin" role to the ec2 instance, which you are going to use to run your boto3 scripts
  2. Make sure it looks good. $curl http://169.254.169.254/latest/meta-data/iam/security-credentials/

  3. test boto3 script

    #!/usr/bin/env python import boto3
    ec2_client = boto3.client('ec2')
    def main(): vpcs = ec2_client.describe_vpcs() for vpc_info in vpcs['Vpcs']: print(vpc_info['VpcId'])
    if name == "main": main()

I came across an Application on github which addresses this issue:

https://github.com/AdRoll/hologram

1
amazon-web-servicesboto3
How would you propose that a client authenticate, without credentials?jarmod
@jarmod purpose is security ( DEVSECOPS ) not to expose AWS credentials.kamal
There are still credentials. The appropriate way for EC2 to get credentials is to launch with an IAM role. This results in time-limited, auto-rotated credentials being made available on instance by the EC2 metadata service. Those credentials are available to any process on the EC2 instance and are auto-retrieved by all AWS SDKs (you don’t need a ~/.aws/config file for this to happen.jarmod

1 Answers

13
votes

If you have a role attached to the EC2 instance you can use:

~/.aws/config 

[default]
credential_source=Ec2InstanceMetadata

https://docs.aws.amazon.com/cli/latest/topic/config-vars.html

credential_source - The credential provider to use to get credentials for the initial assume-role call. This parameter cannot be provided alongside source_profile. Valid values are:

Environment to pull source credentials from environment variables.

Ec2InstanceMetadata to use the EC2 instance role as source credentials.

EcsContainer to use the ECS container credentials as the source credentials.