MIQ on EC2, Installation instruction IAM Role supported?


#1

This is a not a new topic, but I cant find any answers since Dec 2015. I would like to deploy MIQ on aws EC2. What are my options beside docker to ECC and importing a VHD?
Also, when running MIQ on AWS, are roles supported? ?Using access keys is not best practice

thnaks

Ramon


#2

Also, when running MIQ on AWS, are roles supported? ?Using access keys is not best practice

what do you mean exactly? you dont have to use an access key with root access, but a IAM profiled key is enough.


#3

I should have said using IAM user access keys to access AWS resources from an application is not best practice and certainly using long term keys is not

AWS best practice is to use Roles when accessing from an application.
http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html

With IAM access keys, key rotation (which hopefully gets implemented by anyone using them) force a configuration changed in MIQ every time keys are rotated.
Also, storing long term keys with an application is not a good idea

IAM Roles keys automatically expire every hour and it is configurable to expire even sooner. You dont need to provide, share, store, etc keys since they can be obtain from the instance metadata (this is how BOTO3 and other AWS SDK do it)

Not to mention that many organizations dont use IAM users or IAM users key, we use Federation and IAM roles

Ramon


#4

Thanks for clarification, afaik this is not supported yet.

We connect to aws via their ruby-sdk and indeed use AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY - see http://docs.aws.amazon.com/sdkforruby/api/index.html#Configuration

@bascar @blomquisg maybe this is something we want to look into?