[ec2-beta] Get AWS keys from within instance?

[Eric Hammond]

Darren:

You will need to pass the keys in to the instance yourself, either
through the user-data parameter at startup, through scp/rsync/ssh, by
bundling your own instance with the keys on the image, or by letting the
instance download the keys securely from some external source (which
again requires some sort of authentication be secure).

You might also consider using a combination of these where one of the
methods provides the keys encrypted and the other method provides the
decryption passphrase.  This reduces your exposure if only one of the
mechanisms is compromised.

Note that user-data is accessible to any user on the instance and may be
accessible to users outside the instance if you are running, say, a web
server which allows people to download URLs and view them, or is
configured as a proxy.

It is also impossible to clear user-data during the lifetime of the
instance.

Though Amazon clears disk storage between uses by different accounts,
you may still want to encrypt private information you store on a disk or
securely clear it after use with a command like "wipe".

--
Eric Hammond
ehammond at thinksome.com



Darren Govoni wrote:
> Hi,
>   In my ongoing effort to auto-configure my Ubuntu EC2 image on-the-fly
> I find a need to get the AWS keys associated with the account under
> which the instance is booting. This is so the services I run inside the
> instance have the correct keys to communicate back to AWS without
> requiring them to come from the user or some other untrusted source. 
> 
> Is it possible (similar to the metadata link) to get the keys from
> within the instance?
> 
> Thank you!
> Darren
> 
>