amazon web services - Does AWS cfn-init need a Profile/Role for DescribeStackResource? -

-

from this page:

to use aws cloudformation bootstrap features, need provide aws credentials bootstrap scripts. recommend assign iam role on ec2 instance when instance launched.

this seems pretty straightforward, when @ example on place in aws documents, never set roles or profiles this. example, here.

what missing? there scenarios cfn-init requires permissions while not in others?

no, no longer need add cloudformation:describestackresource policies of role associated instance profile in order access cloudformation metadata. scripts such cfn-get-metadata , cfn-init authorized using special cfn header instead of standard aws authorization header. request cfn scripts looks this:

# command succeeds regardless of instance profile cfn-get-metadata --region us-west-1 --stack cftest --resource launchconfig  --key aws::cloudformation::init  /?action=describestackresource&stackname=cftest&version=2010-05-15&contenttype=json&logicalresourceid=launchconfig http/1.1 host: cloudformation.us-west-1.amazonaws.com connection: keep-alive accept: application/json accept-encoding: gzip, deflate authorization: cfn_v1 ewogicjwcml2yxrlsx(truncated)==:b9zm3/enzex(truncated)= user-agent: cloudformation tools

the cfn authorization header concatenation of http://169.254.169.254/latest/dynamic/instance-identity/document , http://169.254.169.254/latest/dynamic/instance-identity/signature , allows instance view cloudformation metadata own stack.

in contrast, request uses instance profile looks this:

# command fails if don’t have cloudformation:describestackresource permission! aws cloudformation --region us-west-1 describe-stack-resource --stack-name cftest --logical-resource-id launchconfig  post / http/1.1 host: cloudformation.us-west-1.amazonaws.com accept-encoding: identity content-length: 95 x-amz-date: 20160630t010040z user-agent: aws-cli/1.10.43 python/2.7.11+ linux/4.4.0-28-generic botocore/1.4.33 x-amz-security-token: fqody(truncated-token)= content-type: application/x-www-form-urlencoded authorization: aws4-hmac-sha256 credential=asia(truncated)/20160630/us-west-1/cloudformation/aws4_request, signedheaders=host;x-amz-date;x-amz-security-token, signature=fbad7aeef75186cb18bbd44810c4d0379d7d1cf1b8a80be14ea1e3192d2ec531  action=describestackresource&stackname=cftest&version=2010-05-15&logicalresourceid=launchconfig

the instance profile temporary credentials fetched http://169.254.169.254/latest/meta-data/iam/security-credentials/ described in iam roles ec2.

(note: collect these requests, ran nc -l 80 & , ran cfn-get-metadata --url http://localhost , aws --endpoint-url http://localhost.)

this cfnsigner functionality added client between aws-cfn-bootstrap-1.1 (2012-03) , aws-cfn-bootstrap-1.3.6 (2012-09). prior 2012, did need use role cloudformation:describestackresource permission, described in 2011 document boostrapping applications aws cloudformation. note cfn-* scripts use cfnsigner; if want use aws cloudformation, need make sure roles allow it.


Comments

Post a Comment

Popular posts from this blog

How to run C# code using mono without Xamarin in Android? -

-
i want create program uses mono runtime run c# code (binary not application). i copied libmono.so unity app , i'm write code using documentation: http://www.mono-project.com/docs/advanced/embedding/ and it's working have problems references can access classes mscorlib.dll , have problems system.reflection.assembly class throwing exception, when print console see: system.missingmethodexception: method not found: 'system.reflection.assembly.op_inequality' can fix it? can use mono runtime in c binary on android? ps. i'm using android tests. edit: found solution loading libraries, need set environment variable mono_path libraries path. but have still problems assembly class. the system.missingmethodexception error have seems .net profile mismatch error, 1 explained here . can use mono runtime in c binary on android? yes, using ndk guess. there alternatives can use instead of rolling own, such xmadevlab .
Read more

c# - SharpSsh Command Execution -

-
Image
i trying create ssh client using c#. using tamir.sharpssh library. having issues sending command , getting appropriate response server. the way have been testing sending on ls command, followed cd.. command, followed ls command again -- see whether or not cd.. command being executed properly. however, there no difference between first ls command , second ls command. not entirely sure doing wrong. perhaps using wrong ssh type. have provided code , output getting. have added output expect. using tamir.sharpssh; namespace sshnetexample { class program { static void main(string[] args) { sshexec ssh = null; try { console.write("-connecting..."); ssh = new sshexec(host, username, password); ssh.connect(); console.writeline("ok ({0}/{1})", ssh.cipher, ssh.mac); console.writeline("server version={0}, client versio...
Read more

python - Specify path of savefig with pylab or matplotlib -

-
i struggling on how find correct way specify save path (or repository) when calling function savefig in matplotlib or pylab. i tried several syntaxes, everytime python console returns : filenotfounderror: [errno 2] no such file or directory: '../mydocs/resource/frames/myimage.png' currently, have written following : pylab.savefig('../mydocs/resource/frames/myimage.png') does know how it? thanks in advance! the tilde operator , variable $home entered strings , therefore not function while saving. have provide either relative path (as did) or provide full path. eg. pylab.savefig("/home/username/desktop/myfig.png") .
Read more