Configuring AWS EC2 Marketplace AMIs credentials

configuration
ec2

(Dan O'Donovan) #1

I've read @david.allen's helpful post RE Cloud VM configuration (and other blog entries) but I'm having difficulty getting configuration changes to stick in AWS.

It seems that the Tags on the instance aren't being picked up by pre-neo4j.sh as when that script calls $ aws ec2 describe-tags ... it doesn't find any AWS credentials (as it shouldn't - I've not provided any!).

I suspect that the best way to provide the credentials is to assign a role to the EC2 instance, but I've not read this in any of the docs. Is that correct, or is there another way that I've missed?

Thanks!


(M. David Allen) #2

Can you clarify -- are you launching the VM individually, or is this as part of a CloudFormation template or cluster? I'm guessing you're launching the AMI individually.

Yes it's necessary for the VM to have the permission to read its own tags. This may be an edge case where we can improve the documentation on that page describing the differences of VMs. Normally, when the VM is deployed as part of the cloudformation templates and marketplace entries we provide, this permissioning is done for you so you'd never notice. If you deploy the AMI by itself, then it's not auto-granted.

So, two options:

  1. Inside of the VM, you can authorize the AWS client with whatever service key you want, restart the service, and it should work.
  2. In your launch process for the VM, you can apply an IAM role that gives the VM appropriate permissions. I think it gets a service account by default, just with very little permissions.

In CloudFormation language, the role you'd need to grant looks like this. The ec2:Describe one is really what does it.

When launching the image, on "Step 3: Configure Instance Details" there's a skinny little "IAM Role" box where you can configure the equivalent of the below, prior to launch.

        "ReadOwnTags": {
            "Type": "AWS::IAM::Role",
            "Properties": {
                "RoleName": {{ "work-with-tags" | appendStack }},
                "AssumeRolePolicyDocument": { 
                    "Version": "2012-10-17",
                    "Statement": [
                        {
                            "Effect": "Allow",
                            "Principal": {
                                "Service": "ec2.amazonaws.com"
                            },
                            "Action": "sts:AssumeRole"
                        }
                    ]
                },
                "Policies": [
                    {
                        "PolicyName": "root",
                        {# Adapted/customized from arn:aws:iam::aws:policy/AmazonEC2ReadOnlyAccess #}
                        "PolicyDocument": {
                            "Version": "2012-10-17",
                            "Statement": [
                                {  
                                    "Effect": "Allow",
                                    "Action": "ec2:CreateTags",
                                    "Resource": "*"
                                },
                                {
                                    "Effect": "Allow",
                                    "Action": "ec2:Describe*",
                                    "Resource": "*"
                                }
                            ]                            
                        }
                    }
                ]
            }

(Dan O'Donovan) #3

Thanks David - I was rolling my own Cloudformation template!

Could you post a link to the cloudformation templates that Neo4j provide? I had been looking the code in github: neo4j-contrib/ec2neo (this web UI won't let me post that link) but I found it too out-dated for my needs.

Your IAM Role is very similar to the one I've been writing - I'll give it a whirl, thanks!


(M. David Allen) #4

Dan -- on the CloudFormation templates, I'll follow up with you privately by email. I have them and I'm glad to provide them, but they're not something we publicly publish just yet.