[ec2-beta] Get AWS keys from within instance?

Darren Govoni darren at ontrenet.com
Mon Feb 2 23:12:26 GMT 2009 

Thanks for the suggestions Eric.

My hope was that the instance operated in a trusted environment where it
itself could get access to the users keys, similar to how Michael
suggested.

I was thinking of creating a reusable image others might find useful,
but in order for the bundled services to work out-of-the-box the keys
need to be configured internally. Passing them in could work, providing
they don't have to do it for every instance when spawning, say 50.

The possibility of user-data being visible external from the instance is
a security risk though.

FWIW, I think the instance _should_ be able to get the public and
private key associated with the account it was launched under OR allow a
way to refer to them such that the instance can authenticate to AWS
without external keys. After all, it was launched from a trusted account
to begin with. But I'm still learning the ropes here - so ignorance is
still a factor. hehe.

Cheers,
Darren

On Mon, 2009-02-02 at 14:40 -0800, Eric Hammond wrote:
> Darren:
> 
> You will need to pass the keys in to the instance yourself, either
> through the user-data parameter at startup, through scp/rsync/ssh, by
> bundling your own instance with the keys on the image, or by letting the
> instance download the keys securely from some external source (which
> again requires some sort of authentication be secure).
> 
> You might also consider using a combination of these where one of the
> methods provides the keys encrypted and the other method provides the
> decryption passphrase.  This reduces your exposure if only one of the
> mechanisms is compromised.
> 
> Note that user-data is accessible to any user on the instance and may be
> accessible to users outside the instance if you are running, say, a web
> server which allows people to download URLs and view them, or is
> configured as a proxy.
> 
> It is also impossible to clear user-data during the lifetime of the
> instance.
> 
> Though Amazon clears disk storage between uses by different accounts,
> you may still want to encrypt private information you store on a disk or
> securely clear it after use with a command like "wipe".
> 
> --
> Eric Hammond
> ehammond at thinksome.com
> 
> 
> 
> Darren Govoni wrote:
> > Hi,
> >   In my ongoing effort to auto-configure my Ubuntu EC2 image on-the-fly
> > I find a need to get the AWS keys associated with the account under
> > which the instance is booting. This is so the services I run inside the
> > instance have the correct keys to communicate back to AWS without
> > requiring them to come from the user or some other untrusted source. 
> > 
> > Is it possible (similar to the metadata link) to get the keys from
> > within the instance?
> > 
> > Thank you!
> > Darren
> > 
> >

More information about the Ec2-beta mailing list