Geek Answers Handbook

Is AWS cfn-init profile / role required for DescribeStackResource?

From this page :

To use AWS CloudFormation boot functions, you need to provide AWS credentials for bootstrap scripts. We strongly recommend that you assign an IAM role for an EC2 instance. when starting the instance.

This seems pretty straightforward, but when I look at any example from all over the AWS docs, they never set up roles or profiles for this. For example, here .

What am I missing? Are there any scenarios in which cfn-init requires additional permissions and not others?

+4
source share
2

, : DescribeStackResource , , CloudFormation. , cfn-get-metadata cfn-init, CFN AWS. CFN :

# This command succeeds regardless of your instance profile
cfn-get-metadata --region us-west-1 --stack cftest --resource LaunchConfig  --key AWS::CloudFormation::Init

GET /?Action=DescribeStackResource&StackName=cftest&Version=2010-05-15&ContentType=JSON&LogicalResourceId=LaunchConfig HTTP/1.1
Host: cloudformation.us-west-1.amazonaws.com
Connection: keep-alive
Accept: application/json
Accept-Encoding: gzip, deflate
Authorization: CFN_V1 ewogICJwcml2YXRlSX(truncated)==:b9ZM3/EnzeX(truncated)=
User-Agent: CloudFormation Tools

CFN http://169.254.169.254/latest/dynamic/instance-identity/document http://169.254.169.254/latest/dynamic/instance-identity/signature CloudFormation .

, , :

# This command fails if you don’t have cloudformation:DescribeStackResource permission!
aws cloudformation --region us-west-1 describe-stack-resource --stack-name cftest --logical-resource-id LaunchConfig

POST / HTTP/1.1
Host: cloudformation.us-west-1.amazonaws.com
Accept-Encoding: identity
Content-Length: 95
X-Amz-Date: 20160630T010040Z
User-Agent: aws-cli/1.10.43 Python/2.7.11+ Linux/4.4.0-28-generic botocore/1.4.33
X-Amz-Security-Token: FQoDY(truncated-token)=
Content-Type: application/x-www-form-urlencoded
Authorization: AWS4-HMAC-SHA256 Credential=ASIA(truncated)/20160630/us-west-1/cloudformation/aws4_request, SignedHeaders=host;x-amz-date;x-amz-security-token, Signature=fbad7aeef75186cb18bbd44810c4d0379d7d1cf1b8a80be14ea1e3192d2ec531

Action=DescribeStackResource&StackName=cftest&Version=2010-05-15&LogicalResourceId=LaunchConfig

http://169.254.169.254/latest/meta-data/iam/security-credentials/, IAM EC2.

(: , nc -l 80 & cfn-get-metadata --url http://localhost aws --endpoint-url http://localhost.)

CFNSigner ​​ aws-cfn-bootstrap-1.1 (2012-03) aws-cfn-bootstrap-1.3.6 (2012-09). 2012 : DescribeStackResource, 2011 Boostrapping Applications With AWS CloudFormation. , cfn- * CFNSigner; aws cloudformation, , .

+4

clou-init AWS- , CFN.

AWS, / cfn-init IAM EC2, cfn-init script AWS- IAM.

: http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-roles-for-amazon-ec2.html

, cfn-init, , IAM, , / cfn-init.

0

More articles:


All Articles