What is IAM?
IAM can also keep your account credentials private. With IAM, you can create multiple IAM users under the umbrella of your AWS account or enable temporary access through identity federation with your corporate directory. In some cases, you can also enable access to resources across AWS accounts.
Watch this
short video to understand IAM:
IAM Features:
IAM provides important features such as Shared access
to your AWS account, Granular permissions, Secure access to AWS resources for
applications that run on Amazon EC2, Multi-factor authentication (MFA) etc.
For more details visit:
Accessing IAM:
You can work
with AWS Identity and Access Management in any of the following ways.
1- AWS Management Console
2- AWS Command
Line Tools
3- AWS SDKs
4- IAM HTTPS API
For details visit:
Why IAM?
Without IAM, you must either create multiple AWS
accounts and must share the security credentials of an each AWS account. In
addition, without IAM, you cannot control the tasks a particular user or system
can do and what AWS resources they might use.
Let’s take
a scenario where I have an application which access S3 bucket to store
contents. Below diagram illustrate the above statement:
You can
see following process in above diagram:
1-
A java web application is running on EC2 instance.
2-
A user using the application and uploading
contents to Amazon S3 bucket.
3-
Java web application has the access key and
secret key to access the S3 bucket. These keys are distributed with the
application always in order to connect to S3 bucket.
If you are using JetS3 library to
connect to S3 bucket you would use:
S3Service s3Service=new RestS3Service(new AWSCredentials(“xxxx”,”yyy/zzz”));
If you are using AWS SDK library to
connect to S3 bucket you would use:
AWSCredentials credentials = new BasicAWSCredentials(“xxxx”,”yyy/zzz”);
//
create a client connection using keys
AmazonS3 s3client = new AmazonS3Client(credentials);
4-
Java web application used the keys to access
the bucket and processes the user request to upload the content to S3 bucket.
So, you can clearly see that every time an application is deployed
to a new environment you have to distribute the access keys along with
application, which is not a best practice.
Let see
how IAM solves the above problem. Below diagram illustrate the above statement:
You can
see following process in above diagram:
1-
An application is running on EC2 instance and EC2
instance is configured with an IAM role “writeAccessS3_Role”.
2-
A user using the application and uploading
contents to Amazon S3 bucket.
3-
At this point when application gets the
request to upload the content to S3 bucket, it queries EC2 instance metadata
and retrieves the credentials based on the role assigned to EC2 instance.
//Create a client connection using keys
AmazonS3 s3client = new AmazonS3Client(credentials);
4-
AWS will return the credentials based on role
mapped for the EC2 instance where application is running.
5-
Java application uses the above credentials to
access the bucket and processes the user request to upload the content to S3
bucket.
6-
In this case the whole operation is role based;
application cannot perform other operations which are not associated with the
role.
7-
If role has ‘read-only’ permission then, application
cannot upload content. Hence a role called “writeAceessS3_Role” created and
mapped with EC2 instance.
So, you can see now we don’t have to
distribute the credentials with application, we need to only create roles and
map the EC2 instance with it and we are done. Impressive isn’t It J
Note: You can
take the advantage of IAM Roles only if application is running on EC2 instance.
Configuring the IAM:
Follow the below given steps:
Ø Create an IAM role that grants read-only access to Amazon S3.
1. Open the IAM console.
2. In the navigation pane, click Roles, and then click Create New
Role.
3. Enter a name for the role, and then click Next Step.
Remember this name, as you'll need it when you launch your EC2 instance.
4. On the Select Role Type page,
under AWS
Service Roles, select Amazon EC2.
5. On the Set Permissions page,
under Select
Policy Template, select Amazon S3 Read Only Access. Click Next Step.
6. On the Review page,
click Create
Role.
Ø Launch an EC2 Instance and Specify Your IAM Role
You can launch an EC2 instance with an IAM role using
the Amazon EC2 console or the SDK for Java.
1-
To launch an EC2 instance using the console, follow
the directions in Launch
an EC2 Instance in the Amazon EC2 User Guide for Linux
Instances. When you reach the Review
Instance Launch page, click Edit instance
details. In IAM role, specify the IAM role that you created previously.
Complete the procedure as directed. Notice that you'll need to create or use an
existing security group and key pair in order to connect to the instance.
2-
To launch an EC2 instance with an IAM role using the
SDK for Java, see Run
an Amazon EC2 Instance.
Refer to below video to see how to create IAM
role and Map EC2 instance:
I have created a utility in java which can perform operations on Amazon S3 buckets using secret keys as well as IAM role.
How do I get the usable jar ?
1 Download a stable version from Maven Central Repository
Download from Maven Central:
How do I get the project ?
1-
Visit my github repository
Note: Use access keys before build in order to
pass the test cases or use skip test parameter (-Dmaven.test.skip=true).
To
skip the test: e.g. mvn clean install -Dmaven.test.skip=true
3-
For testing IAM services on EC2 instance
which is already mapped with IAM role, use the default constructor call to
create instance of AwsS3IamService.
Example:
AwsS3IamService awsS3IamService = new AwsS3IamServiceImpl();
4-
For testing IAM services anywhere else
use the parameterized constructor call to create instance of AwsS3IamService.
Example:
AwsS3IamService awsS3IamService = new AwsS3IamServiceImpl(AWS_ACCESS_KEY,AWS_SECRET_KEY);
5-
You will get the usable aws-s3-utils.jar file and documentation.
References:
This comment has been removed by the author.
ReplyDelete