Question 304800 in Amazon Web Sevices Question posted in
The official Amazon Web Services documentation can be found here.

Amazon web services – Differences in IAM Role Usage Between EC2 Instance and AWS CLI

I can connect to an ec2 instance in 2 ways:

  1. via SSH
  2. using the accessKey, secretKey, token and region via AWS CLI on my personal machine

When I run aws sts get-caller-identity (using the accessKey, secretKey, token FROM the ec2 instance via SSH), I get a slightly different userId, and assumed-role within the ARN. Attached below is an example:

aws sts get-caller-identity via SSH  
{  
    "UserId": "AAAAAAAAAAAAAAAAAAAAA:i-0b999999999999999",    
    "Account": "739214605182",    
    "Arn": "arn:aws:sts::739214605182:assumed-role/Test-Role-Ec2/i-0b999999999999999"
}  
  
  
  
aws sts get-caller-identity via AWS CLI  
{  
    "UserId": "BBBBBBBBBBBB:aws:ec2-instance:i-0b999999999999999",    
    "Account": "739214605182",    
    "Arn": "arn:aws:sts::739214605182:assumed-role/aws:ec2-instance/i-0b999999999999999"
}

It seems like the AWS CLI is using my account credentials, while the ec2 instance is using the IAM Role I designated – which is Test-Role-Ec2

Is it possible for AWS CLI to have the Test-Role-Ec2 IAM Role set?

I thought that if I imported the access key secret key and token, that I would assume the same role (Test-Role-EC2), despite being on AWS CLI.

Tags:

2

Answers


  1. 0

    When you run the AWS CLI tool on your local machine, you are not connecting to the EC2 instance. You are connecting directly to the public AWS API from your local computer. The EC2 instance is not involved in any way with the AWS API calls you make from your local computer.

    I thought that if I imported the access key secret key and token, that I would assume the same role (Test-Role-EC2), despite being on AWS CLI.

    No, that is an incorrect assumption. Your assumption that the EC2 instance is in any way involved in this process is incorrect.

    Login or Signup to reply.
  2. 0

    Your issue may be related to how you’re querying the IMDSv1 within the EC2 instance. The second ARN you’re getting (from the AWS CLI) looks to be the role for a generic EC2 instance. I can get a similar value by querying the following endpoint, importing the keys outside the instance, and running get-caller-identity:

    curl http://169.254.169.254/latest/meta-data/identity-credentials/ec2/security-credentials/ec2-instance

    Instead start by querying the IAM info:

    $> curl http://169.254.169.254/latest/meta-data/iam/info
{
"Code" : "Success",
"LastUpdated" : "2023-12-14T16:00:00Z",
"InstanceProfileArn" : "arn:aws:iam::<accountID>:instance-profile/<rolename>",
"InstanceProfileId" : "<profileID>"
}

    That Profile ARN should give you the role name you’re looking for. Use that to query the role’s access keys:

    curl http://169.254.169.254/latest/meta-data/iam/security-credentials/<rolename>

    (As a side note: you may want to redact your account ID. They’re not techincally sensitive, but they do open you up to some enumeration and console login attacks)

    Login or Signup to reply.
Please signup or login to give your own answer.

Back To Top
Search