Passing IAM roles from one EC2 to another Ec2

0
votes

I have an ec2 instance (say ec2-1) which has an IAM role attached. This IAM role is having policies for launching new ec2 instances, new security groups, listing various security groups, copying file from S3 etc.

Now I want to launch another ec2 instance from this ec2-1 instance using aws cli or cloudformation templates (not from console) but with an additional access of copying objects from s3. I want paas only this policy/role from ec2-1 to this newly launched instance so that using user data in the CFT, I can copy objects into new ec2 instances from s3.

I do not want to pass the complete role with complete policies which are there in ec2-1 like launching ec2, SG etc.

How can I achieve this ?

3
amazon-web-servicesamazon-ec2amazon-iamamazon-policy

3 Answers

1
votes

Create a sepate role and attached the new policy with minimal access(required access to new ec2 instance ) and while launching new ec2 from ec2-1 attached a newly created role to new ec2 instance.

1
votes

What you describe is not possible, but there is an alternative.

Firstly, there is no concept of "passing a role with changes". An IAM Role can be used to generate temporary credentials. Those credentials can then be used to perform actions based upon the permissions assigned to the role. You could certainly pass the credentials to another instance, but then it would be operating with all the permissions associated with the role. You cannot merely pass a portion of the permissions.

The best method would be to create a different role specifically for the second instance, with appropriate policies assigned.

However, here's an interesting alternative...

If your goal is to enable the Instance 2 to download some objects from Amazon S3, and if those objects are private, then Instance 1 could generate pre-signed URLs for each object. These URLs will provide time-limited access to private objects in Amazon S3.

Some code on Instance 1 would need to generate the pre-signed URLs, and it would then include those pre-signed URLs in the User Data used to launch Instance 2. Thus, Instance 2 would be able to download the objects without requiring an IAM Role.

See: Amazon S3 pre-signed URLs

0
votes

Follow this doc step by step. I got it working using the same.

https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-roles-for-amazon-ec2.html