How to use IAM role to access resources using temporary credentials?

Question

I'm using AWS IAM roles that allows an instance to have access to certain resources using temporary API credentials (access key, secret key and security token).

When I test the temporary credentials using this ruby script, it runs without any problems :

require 'rubygems'
require 'aws-sdk'
AWS.config(
    :access_key_id     => "MY ACCESS KEY GOES HERE",
    :secret_access_key => "MY SECRET KEY GOES HERE",
    :session_token     => "MY TOKEN GOES HERE")
s3 = AWS::S3.new()
myfile = s3.buckets['My-Config'].objects["file.sh"]
File.open("/tmp/file.sh", "w") do |f|
    f.write(myfile.read)
end

But when using command line to run cfn-describe-stacks I get an error:

export AWS_CREDENTIAL_FILE=aws_credentials.cfg
cfn-describe-stacks
cfn-describe-stacks:  Refused: The security token included in the request is invalid

and here is my aws_credentials.cfg :

AWSAccessKeyId=MY ACCESS KEY
AWSSecretKey=My SECRET KEY
AWSToken="MY TOKEN=="

So what am i missing here ? Thank you!

Answer 1

I don't think that the CLI tools support temporary credentials. If they did, you should be able to pass your "AWSToken" in as a command line parameter. But according to the documentation, it only supports passing in the access key id and secret key as parameters.

-I, --access-key-id VALUE

Specify VALUE as the AWS Access ID to use.

-S, --secret-key VALUE

Specify VALUE as the AWS Secret Key to use.

Answer 2

This is easy with a user-data script. For example, this snippet will grab your temporary credentials and download a resource from S3. I use it for WAR deployment.

# Install updates and dependencies
yum -y install ruby-devel
yum -y install rubygems
yum install -y rubygem-nokogiri
gem install --no-rdoc --no-ri aws-sdk
gem install --no-rdoc --no-ri json

# Grab credentials and parse them
CREDENTIALS=$(curl -s http://169.254.169.254/latest/meta-data/iam/security-credentials/s3access)
S3_ACCESS_KEY=$(echo $CREDENTIALS | ruby -e "require 'rubygems'; require 'json'; puts JSON[STDIN.read]['AccessKeyId'];")
S3_SECRET_KEY=$(echo $CREDENTIALS | ruby -e "require 'rubygems'; require 'json'; puts JSON[STDIN.read]['SecretAccessKey'];")
S3_TOKEN=$(echo $CREDENTIALS | ruby -e "require 'rubygems'; require 'json'; puts JSON[STDIN.read]['Token'];")

# Download myFile
cat << EOF > /etc/getFile.rb
require 'rubygems'
require 'aws-sdk'
AWS.config(
  :access_key_id     => "$S3_ACCESS_KEY",
  :secret_access_key => "$S3_SECRET_KEY",
  :session_token     => "$S3_TOKEN")
s3 = AWS::S3.new()
myfile = s3.buckets['mybucket'].objects["myFile"]
File.open("myLocalFile", "w") do |f|
  f.write(myfile.read)
end
EOF

ruby /etc/getFile.rb

Drop it in your CloudFormation template and log it appropriately. It'll work like a charm. You can use instance profiles with LaunchConfigs and EC2 resources no problem. I 100% confident of this. It was in touch with AWS when their docs folks added these references to the documentation.