Please enable JavaScript.
Coggle requires JavaScript to display documents.
AWS CLI, SDK, IAM role & policies - Coggle Diagram
AWS CLI, SDK, IAM role & policies
EC2 instance metadata (IMDS)
URL:
http://169.254.169.254/latest/meta-data
purpose
allow ec2 learn about themselves
without IAM role
restrict
can retrieve IAM role name
CANNOT retrieve IAM policy
version
v1
access URL direct
v2
2 step
Get ession token
Use session token X-aws-ec2 header
AWS CLI profiles
--profile <profile name>
MFA with CLI
aws sts get-session-token
serial-id: virtual device
AWS SDK overview
default region: us-east-1
AWS limit (quota)
Describe instance: limit: 100 call / s
GetObject S3: 5500 GET / prefix
error
Intermittent
Implement backof
already handle by SDK
manual handle (wo SDK): 5xx
Consistent Error
request API throttling limit increase
Service LImits
standard instance limit
1152 vCPU
AWS CLI credential
provider chain
look order
command line options
--region, --output, --profile
environment variable
(system properties/env variable)
AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, AWS_SESSION_TOKEN
CLI credential file
~/.aws/credentials
CLI configuration file
~/.aws/config
Container credential
best practice
NOT STORE AWS CREDENTIALS in code
use IAM role
EC2, ECS
outside AWS
use env variable, named profile
AWS Signature v4 Signing (Sigv4)
purpose
sign aws api request
where put
Header option
Query param
X-Aws-Security-Token
Note check policy: AWS Policy Simulator