Home > Blockchain >  AWS credentials missing when running userdata in a new EC2
AWS credentials missing when running userdata in a new EC2

Time:08-13

Using terraform scripts, I create a new EC2, add policy to access an S3 bucket, and supply a userdata script that runs aws s3 cp s3://bucket-name/file-name . to copy a file from that S3 bucket, among other commands.

In /var/log/cloud-init-output.log I see fatal error: Unable to locate credentials, presumably caused by executing aws s3 cp ... line. When I execute the same command manually on the EC2 after it's been created, it works fine (which means the EC2 policy for bucket access is correct).

Any ideas why the aws s3 cp command doesn't work during userdata execution but works when the EC2 is already created? Could it be that the S3 access policy is only applied to the EC2 after the EC2 has been fully created (and after userdata has been run)? What should be the correct workaround?

data "aws_iam_policy_document" "ec2_assume_role" {

  statement {
    effect = "Allow"
    actions = [
      "sts:AssumeRole",
    ]
    principals {
      type        = "Service"
      identifiers = [
        "ec2.amazonaws.com",
      ]
    }
  }
}

resource "aws_iam_role" "broker" {
  name                  = "${var.env}-broker-role"
  assume_role_policy    = data.aws_iam_policy_document.ec2_assume_role.json
  force_detach_policies = true
}

resource "aws_iam_instance_profile" "broker_instance_profile" {
  name = "${var.env}-broker-instance-profile"
  role = aws_iam_role.broker.name
}

resource "aws_iam_role_policy" "rabbitmq_ec2_access_to_s3_distro" {
 name = "${env}-rabbitmq_ec2_access_to_s3_distro"
 role = aws_iam_role.broker.id
 policy = data.aws_iam_policy_document.rabbitmq_ec2_access_to_s3_distro.json
}

data "aws_iam_policy_document" "rabbitmq_ec2_access_to_s3_distro" {
 statement {
   effect = "Allow"
   actions = [
     "s3:GetObject",
     "s3:GetObjectVersion"
   ]
   resources = ["arn:aws:s3:::${var.distro_bucket}", "arn:aws:s3:::${var.distro_bucket}/*"]
 }
}


resource "aws_instance" "rabbitmq_instance" {
  iam_instance_profile   = ${aws_iam_instance_profile.broker_instance_profile.name}
  ....
}

CodePudding user response:

This sounds like a timing issue where cloud-init is executed before the EC2 profile is set/ready to use. In your cloud-init script, I would make a loop to run a particular AWS cli command or even use the metadata server to retrieve information about the IAM credentials of the EC2 instance.

As the documentation states, you receive the following response when querying the endpoint http://169.254.169.254/latest/meta-data/iam/security-credentials/iam_role_name:

{
  "Code" : "Success",
  "LastUpdated" : "2012-04-26T16:39:16Z",
  "Type" : "AWS-HMAC",
  "AccessKeyId" : "ASIAIOSFODNN7EXAMPLE",
  "SecretAccessKey" : "wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY",
  "Token" : "token",
  "Expiration" : "2017-05-17T15:09:54Z"
}

So your cloud-init/user-data script could wait until the Code attribute equals to Success and then proceed with the other operations.

  • Related