Kivuli
Get AWS IAM role credentials in EC2
Synopsis
# In some application running on EC2
use Kivuli;
use WebService::AWS::S3;
my $k = Kivuli.new(role-name => 'my-iam-role');
my $s3 = WebService::AWS::S3.new(secret-access-key => $k.secret-access-key, access-key-id => $k.access-key-id, security-token => $k.token, region => 'eu-west-2');
# Do something with the S3
Description
This module enables access to AWS IAM role credentials from within an EC2 instance as described here.
The credentials supplied ( AWS_ACCES_KEY_ID
, AWS_SECRET_ACCESS_KEY
, AWS_SESSION_TOKEN
) can be used to authenticate with another AWS service that the role has been granted access to.
Because the credentials are supplied in a way that is private to the EC2 instance this is a more secure method of obtaining the credentials than, for example, putting them in a configuration file.
The token
must be supplied in the headers (or as a query parameter,) for requests to the service, however some services differ as to whether it should or shouldn't be part of the
signed headers in the request - please see the documentation for the service you are implementing for details.
Installation
Assuming you have a working rakudo installation then you should be able to install this with zef:
zef install Kivuli
Bear in mind that this will pass its tests and install outside an EC2 instance, which may be useful for example to build a Docker image to upload to AWS, but it will only work correctly on EC2.
Support
This has some fairly specific environmental dependencies, so before raising an issue please check:
- You are running your application in an AWS EC2 instance
- That you have created the IAM Role, given it the required permissions and associated it your EC2 instance.
Any suggestions/issues/etc can be posted to github and I'll see what I can do.
Licence and Copyright
This is free software please see the LICENCE in the distribution files.
© Jonathan Stowe 2021