IAM Roles and EC2 access to user identity

The name of the pictureThe name of the pictureThe name of the pictureClash Royale CLAN TAG#URR8PPP



IAM Roles and EC2 access to user identity



I was checking out videos on accessing aws using ssh.



He just added a IAM role while creating EC2 instance. When I ssh to EC2 instance from cli I was easily able to run "aws s3 ls". My question is how does it will know whether I belong to that IAM role or not?



While starting ssh connection I gave only the public IP of EC2 and keypair related to that EC2 instance.



So where exactly I allowed my identity to be shared with aws?



When I didnot added the role while creating ec2 instance I have to explicitly give my keys for accessing aws services.



So what IAM role do on the fly that it donot ask for credentials?




2 Answers
2



First don't interrelate PEM(keypair) and IAM. Both are not connected each other.



What is IAM?



AWS Identity and Access Management (IAM) enables you to manage access
to AWS services and resources securely.



From the explanation itself it's clear that that, it enables access to AWS resources. So lets take one simple example, you want to access S3 Bucket from the AWS EC2 Instance you created. For that you need to provide Accesskey and Secretkey, From where you will get the access key and secret key, which can be generated by creating a User/Role using IAM. Both have the Creds generated. Now lets see abot Role. Role can be assumed by a USER/Resource(EC2), now if you assign a Role to a EC2 then the Instance by default will get all the permissions associated with that role, means it gets the Accesskey and SeceretKey. Now if you ran some aws s3 ls command then it will retrieve the keys from the default path and access the AWS Resource(here S3).


Accesskey


Secretkey


aws s3 ls



What is EC2 Keypair(PEM)?



Amazon EC2 uses public–key cryptography to encrypt and decrypt login
information. Public–key cryptography uses a public key to encrypt a
piece of data, such as a password, then the recipient uses the private
key to decrypt the data. The public and private keys are known as a
key pair.



The Keypair is only associated with your EC2 instance and it can't be used to access any other AWS resources. It has no dependency with IAM. You are not sharing any identity with AWS. The private key is owned by you(PEM file) and the public key is kept inside the EC2 instance in this file ~/.ssh/authorized_keys . If you want to change your keys and delete the Amazon provided keypair, just delete the default one and place the new public key in the above file. Now you can use the new keypair to login to your instance.


~/.ssh/authorized_keys



Thus your keypair and IAM are not interconnected anywhere. For more details



AWS EC2 Keypair



AWS IAM Docs





I agree with the workflow you stated that IAM Role provide all the user access key to ec2 instance for accessing services and EC2 KeyPair is only for ec2 access using ssh. But don't you think this is kind of security issue too that when someone gets access to ec2 key pair then that person will have free access to all the services or may be I don't know whether cli has that much control or not
– Ladoo
Aug 10 at 16:01






@Ladoo you keep saying that someone is going to get access to the key pair. The key pair is the same as a password. It is your security credentials. Why would someone be able to gain access to your SSH key pair?
– Mark B
Aug 10 at 17:14





@MarkB then I was bit confused about the process. Now I have got myself clear about the scenario.
– Ladoo
Aug 10 at 18:38



The IAM role is assigned to the entire EC2 instance. Any code running on that EC2 instance gets the IAM role. The IAM role is completely unrelated to the SSH account you use to login to the EC2 instance.





I agree with what you say. but when I ssh I donot provide my credentials to verify. I may be anyone who luckily got access to keypair and public ip of that particular ec2
– Ladoo
Aug 10 at 14:42





how does above is taken care of?
– Ladoo
Aug 10 at 14:43





The key pair is the credentials... You should be keeping your secret SSH key file as secure as a password.
– Mark B
Aug 10 at 15:05







By clicking "Post Your Answer", you acknowledge that you have read our updated terms of service, privacy policy and cookie policy, and that your continued use of the website is subject to these policies.

-

Popular posts from this blog

make 2 or more post in bootsrap

Image
Clash Royale CLAN TAG #URR8PPP make 2 or more post in bootsrap I am making a CMS and I want to add two or more content post in every row, I can made one post in one columns, please see my code below. I am using PHP , HTML and bootstrap . CMS PHP HTML bootstrap How can I add two or more content post in every row? Code: <div class="container"> <div class="row"> <!-- Post Content Column --> <div class="col-lg-4 border border-dark rounded"> <?php $query = "SELECT * FROM POSTS"; $run_query_post = mysqli_query($connection, $query); while ($row = mysqli_fetch_assoc($run_query_post)) $post_id = $row['post_id']; $post_title = $row['post_title']; $post_author = $row['post_author']; $post_date = $row['post_date']; $post_image = $row['post_image']; $post_content = substr($row['post_content'], 0, 50); $post_status = $row['post_status']; if ($post_status !=...
Read more

Store custom data using WC_Cart add_to_cart() method in Woocommerce 3

Image
Clash Royale CLAN TAG #URR8PPP Store custom data using WC_Cart add_to_cart() method in Woocommerce 3 I am creating a membership site and totally created static pages for each Membership plans (have only 3 plans). However, I have added products for each plan and when I hit SELECT PLAN button I redirect to some custom form where I ask users range of info we are going to use to fulfil the plan (same as sneakertub.com). I have written code into the PHP page which will handle SUBMIT action of the form. This PHP file, infopage.php , will process POST data I sent via POST call and stores these all data into WC session. infopage.php $customer_name = $_POST["customer_name"]; $customer_email = $_POST["customer_email"]; $customer_sex = $_POST["customer_sex"]; $customer_age = $_POST["customer_age"]; $product_id = $_POST["product_id"]; global $wp_session; $data = array( 'customer_name' => $customer_name, 'customer_email' =...
Read more

Firebase Auth - with Email and Password - Check user already registered

Image
Clash Royale CLAN TAG #URR8PPP Firebase Auth - with Email and Password - Check user already registered I want to check when a user attempts to signup with createUserWithEmailAndPassword() in Firebase user Authentication method, this user is already registered with my app. createUserWithEmailAndPassword() 8 Answers 8 To detect whether a user with that email address already exists, you can detect when the call to createUserWithEmailAndPassword () fails with auth/email-already-in-use . I see that @Srinivasan just posted an answer for this. createUserWithEmailAndPassword () auth/email-already-in-use Alternatively, you can detect that an email address is already used by calling fetchSignInMethodsForEmail() (previous called fetchProvidersForEmail() ). fetchSignInMethodsForEmail() fetchProvidersForEmail() When the user trying to create an user with same email address, the task response will be "Response: The email address is already in use by another account." mFirebas...
Read more