Ref: https://learn.cantrill.io/courses/1820301/lectures/41301600

DEMO: https://learn.cantrill.io/courses/1820301/lectures/41301601

• Summary
• Contents:

EC2 Instance Roles - Architecture

Diagram: https://github.com/acantril/aws-sa-associate-saac03/blob/main/1100-ADVANCED_EC2/00_LEARNINGAIDS/EC2InstanceRoles-1.png

• Best practice to allow an AWS service to access other AWS resources is via IAM roles
  • Services assume roles and acquire needed permissions to interact with other services
  • Why?
    1. Security
       • ❗ Long-term credentials (e.g. access keys created with aws configure) should NEVER be stored in non-secure places!
       • 💡 Your local machine is secure, but an EC2 instance is not (others could access the instance…)
    2. Scalability
       • The same IAM role can be attached to many EC2 instances
       • Long-term credentials would need to be manually configured for each instance… Rotating long-term credentials in many instances would be a nightmare…
• 🔧 Instance role = IAM role that can be assumed by an EC2 instance
  • Anything inside the instance has the permissions that the role grants
• Role's temporary credentials are delivered via EC2 Instance Metadata Service (IDMS)
  • http://169.254.169.254/latest/meta-data/iam/security-credentials/<ROLE-NAME>
    • Can access <ROLE-NAME> by going inside ...iam/security-credentials
  • ‼️ Credentials are always valid! They are automatically rotated!!
    • EC2 and STS (Secure Token Service) liaise with each other to keep credentials valid
    • 💡 Apps inside instance should query endpoint periodically or clear cache when credentials expire, but Metadata Endpoint always has valid credentials!
• AWS CLI inside an instance uses role credentials automatically as long as a role is attached

EC2 InstanceProfile

• 🔧 InstanceProfile = wrapper around an instance role (intermediate piece of architecture)
  • Attached to an instance, allows the instance to assume the role
• ❗ Needs to be created separately if using AWS CLI or CFN!
• 💡 In the EC2 UI, profiles and roles are almost indistinguishable
  • Creating an instance role creates an InstanceProfile with the same name
  • Attaching an instance role via UI actually attaches InstanceProfile of the same name

Credential Precedence for AWS CLI

• Ref: https://docs.aws.amazon.com/cli/latest/userguide/cli-chap-configure.html#cli-configure-quickstart-precedence
• Long-term credentials take precedence over short-term credentials (role credentials)…
  • 💡 …but remember that instance roles are best practice in EC2!