Does Foreman EC2 plugin support IAM roles instead of access/secret keys?


#1

Problem:
Currently we have an EC2-instance on AWS running, on which Foreman and puppetserver are installed. When adding compute resources for AWS, we are requested to fill in an access key/secret key (see screenshot below):

However for security reasons, we are not allowed to use access / secret keys (as they could be leaked), but are required to use IAM roles assigned to the EC2-instance for authentication.

The AWS tools (Cloudformation, CDK, …) support authentication via IAM role assigned to the EC2 instances.

Is a similar authentication available / scheduled to be availbe in Foreman? Is there a work around to avoid using access /secret keys. Currently the access key/secret key are required to be filled in

Expected outcome:
Being able to create EC2 instances with Foreman, without having to rely on access/secret keys

Foreman and Proxy versions:1.22.0-1.el7

Foreman and Proxy plugin versions:foreman-ec2 (1.22.0-1.el7)


#2

Hi,

I’ve been searching a bit, and it seems this could be solved by using the following parameter in the fog connector: use_iam_profile = true;

I haven’t searched yet how it works in the foreman code itself though. :slight_smile:

related ticket @fog: https://github.com/fog/fog-aws/issues/441

Bert


#3

IAM role can set be per instance on image level, at least that’s what I understand from Feature #2229: Support IAM roles when provisioning via EC2 - Foreman

Try editting image in your compute resource detail page and set the IAM role there. It would be good to hear whether it works. Then it’s easy to improve our docs.

Another question would be, if it makes sense to store per image, or it should rather be configurable per compute profile or other entity.


#4

Hi Bert

Thank you for your useful input

As a current workaround we edited some ruby code on the server:
/usr/share/foreman/app/models/compute_resources/foreman/model/ec2.rb:
replace

 @client ||= ::Fog::Compute.new(:provider => "AWS", :aws_access_key_id => user, :aws_secret_access_key => password, :region => region, :connection_options => connection_options)

by

@client ||= ::Fog::Compute.new(:provider => "AWS", :use_iam_profile => true, :region => region, :connection_options => connection_options)

This way we are able to create and launch instances in a more secure way.

Benonie