在EC2实例中使用AWS CLI时,如何指定要使用实例配置文件凭证?文档说:
How do I specify that I want to use Instance profile credentials when using the AWS CLI from within my EC2 instance? the docs say:
Instance profile credentials – these credentials can be used on EC2 instances with an assigned instance role, and are delivered through the Amazon EC2 metadata service.这是自动的还是我需要调用元数据服务并将返回的凭据保存到〜/.aws/credentials 文件...然后进行呼叫?
Is this automatic or do I need to call the metadata service and save the returned credentials to the ~/.aws/credentials file...then make the call?
推荐答案您正在谈论的是 IAM角色.这些附加到EC2实例,并且密钥每四个小时滚动/旋转一次.
You are talking about IAM Roles. These are attached to the EC2 instance and the keys are rolled/rotated every four hours.
您不需要从实例元数据中提取它们并将其提供给aws-cli或SDK,它们会自动将其提取.
You do not need to pull those from the instance metadata and supply it to the aws-cli or a SDK, they will pull it automatically.
如果使用-debug 标志运行aws-cli,您应该会看到凭证被提取:
If you run aws-cli with the --debug flag, you should see the credentials being picked up:
$ aws --debug s3 ls ... 2015-03-10 18:15:04,459 - MainThread - botocore.credentials - DEBUG - Looking for credentials via: iam-role 2015-03-10 18:15:04,465 - MainThread - botocore.vendored.requests.packages.urllib3.connectionpool - INFO - Starting new HTTP connection (1): 169.254.169.254 2015-03-10 18:15:04,466 - MainThread - botocore.vendored.requests.packages.urllib3.connectionpool - DEBUG - "GET /latest/meta-data/iam/security-credentials/ HTTP/1.1" 200 37 2015-03-10 18:15:04,468 - MainThread - botocore.vendored.requests.packages.urllib3.connectionpool - INFO - Starting new HTTP connection (1): 169.254.169.254 2015-03-10 18:15:04,469 - MainThread - botocore.vendored.requests.packages.urllib3.connectionpool - DEBUG - "GET /latest/meta-data/iam/security-credentials/myrole-snipped HTTP/1.1" 200 898 2015-03-10 18:15:04,469 - MainThread - botocore.credentials - INFO - Found credentials from IAM Role: myrole-snipped更多推荐
使用实例配置文件凭证的AWS CLI
发布评论