我使用CloudFormation来管理一个Tomcat Web服务器堆栈，但我厌倦了原始AMI管理新的应用程序版本。我想在厨师的方向移动，但没有足够的时间，现在。相反，我打天下的Web服务器实例化一个简单的问题：我如何可以下载一个当前WAR当新机器旋转式

I'm using CloudFormation to manage a Tomcat webserver stack but am tired of doing raw AMI management for new application versions. I'd like to move in the direction of Chef but don't have the time right now. Instead, I'm trying to conquer a simple problem in webserver instantiation: How can I download a "current" WAR when new machines spin-up?

我的想法是利用私人S3水桶和cloudinit，但我是一个一点做什么用IAM凭证难住了。我可以把它们放在模板的用户数据，但我讨厌这样做，尤其是因为我的版本控制的文件。唯一的选择我能想到的是在AMI本身使用环境变量。他们会必须是明文，但是......呃，如果你能闯进我的情况下，你可以压缩并且下载我的整个网络服务器。只要IAM用户没有重用为别的，并定期轮换，这似乎是一个合理的方式来解决这个问题。我缺少什么？我怎样才能安全地下载一个私人S3资产使用cloudinit？

My thought was to utilize a private S3 bucket and cloudinit, but I'm a little stumped by what to do with IAM credentials. I could put them in the template's user data, but I'm loathe to do so, particularly because I'm version controlling that file. The only alternative I can think of is to use environment variables in the AMI itself. They'd have to be plaintext, but... eh, if you can break into my instance, you could zip up and download my entire webserver. As long as the IAM user isn't reused for anything else and is rotated regularly, it seems like a reasonable way to solve the problem. Am I missing anything? How can I securely download a private S3 asset using cloudinit?

推荐答案

亚马逊最近宣布了一项新的功能，您可以给IAM角色到你的EC2实例。这使得它很容易让具体的实例有权限读取特定的S3资源。

Amazon recently announced a new feature where you can give "IAM roles" to your EC2 instances. This makes it fairly easy to allow specific instances to have permission to read specific S3 resources.

下面是他们的博客文章宣布了新的功能：

Here's their blog post announcing the new feature:

http://aws.typepad.com/aws/2012/06/iam-roles-for-ec2-instances-simplified-secure-access-to-aws-service-apis-from-ec2.html

这里的EC2文档中的部分：

Here's the section in the EC2 documentation:

http://docs.amazonwebservices.com/AWSEC2/latest/UserGuide/UsingIAM.html#UsingIAMrolesWithAmazonEC2Instances

这里的IAM文档中的部分：

Here's the section in the IAM documentation:

http://docs.amazonwebservices.com/IAM/latest/UserGuide/WorkingWithRoles.html

IAM角色提供给通过HTTP实例的凭证，以便在实例上运行的任何用户或进程可以看到它们。

IAM roles make the credentials available to the instance through HTTP, so any users or processes running on the instance can see them.