This document describes how to employ Amazon Identity and Access Management (IAM) to create users that people can use to test Amazon Elastic Compute Cloud (EC2) images for limited periods of time such as test days. It assumes that you have read and understood the EC2 Primer, and, if you are the sponsor for the event, the IAM Primer. It also assumes that the sponsor has administrative access to an Amazon Web Services (AWS) account that is dedicated to sponsoring people for test days and that people will not need to manipulate security groups or firewall rules.
Sponsor Instructions
The sponsor for the test days should have administrator-level access to an AWS account for test days. All of the commands in this section can be performed by an IAM user with administrative privileges such as the one created in the IAM Primer instead of account-level credentials.
Initial Setup
The steps in this section only need to be done once.
Get Your Account Details
Obtain either account credentials or an administrative user's credentials and write them to ~/.iamrc and ~/.eucarc as shown in the IAM Primer.
Install the Command Line Tools
Install the euca2ools package. To do so with yum, run:
# yum install euca2ools
Change the default
Security Group Rules
Since the goal of a EC2 test day is to test a Fedora image that has already been registered in EC2, sponsored users can run instances in a permissive default
security group that allows all traffic from the Internet. You can make that security group allow all traffic with euca-authorize
:
$ euca-authorize -P tcp -p 1-65535 default $ euca-authorize -P udp -p 1-65535 default $ euca-authorize -P icmp default
Create an Account Alias (optional)
Sponsored users who wish to use AWS's web console to manage their instances need to use an account-specific URL. To make that URL include a human-readable name instead of a long account number you can create an account alias:
$ euare-accountaliascreate -a fedora-test-day
Test Day Setup
The instructions in this section need to be done for each test day.
Create a Test Day Group
Create a group for the specific test day. This is the group that will use to manage permissions for every sponsored user.
$ euare-groupcreate -g test-day-20111020
Then add a time-limited policy to the group that allows its members to perform the relevant functions in EC2. A policy that seems to work appears below. Be sure to adjust its time constraints accordingly.
{ "Statement": [ { "Action": [ "ec2:CreateKeyPair", "ec2:DeleteKeyPair", "ec2:DescribeAddresses", "ec2:DescribeAvailabilityZones", "ec2:DescribeImageAttribute", "ec2:DescribeImages", "ec2:DescribeInstanceAttribute", "ec2:DescribeInstances", "ec2:DescribeKeyPairs", "ec2:DescribeSecurityGroups", "ec2:GetConsoleOutput", "ec2:ModifyInstanceAttribute", "ec2:RebootInstances", "ec2:ResetInstanceAttribute", "ec2:RunInstances", "ec2:StartInstances", "ec2:StopInstances", "ec2:TerminateInstances" ], "Effect": "Allow", "Resource": "*", "Condition": { "DateGreaterThan": { "aws:CurrentTime": "2011-10-19T00:00:00Z" }, "DateLessThan": { "aws:CurrentTime": "2011-10-21T00:00:00Z" } } } ] }
Then write the policy to a file and add it to the group:
$ euare-groupuploadpolicy -g test-day-20111020 -p f16-on-ec2-20111020 -f policy.json
Create Test Day Users
Next, create the users that people will use for testing. Store their credentials in a directory so you can hand them out to people individually during the test day. (Or beforehand, since the policy is time-limited.)
$ mkdir -p credentials-20111020 $ euare-usercreate -g test-day-20111020 -k -u tester01 > credentials/tester01
If you want test day users to be able to use the online web console to manage their instances, create login profiles for them as well:
$ euare-useraddloginprofile -u tester01 -p SeekritPassword
Repeat this for each user.
When sending this information to sponsored people, include the access key ID and secret access key included inside the file credentials/testerN
. If you also created login profiles for them, also send the appropriate user name (e.g. tester01) and password. They will be able to log into the AWS Console by going to https://your_AWS_Account_ID.signin.aws.amazon.com/console/. If you created an account alias, you can use that alias in place of the numeric account ID.
Test Day Cleanup
After the test day is over you can delete all of the users and the group you created for it:
$ euare-userdel -r -u tester01 $ euare-userdel -r -u tester02 ... $ euare-groupdel -r -g test-day-20111020
Also be sure to terminate any leftover instances and keypairs.
User Instructions
Get Your Sponsored User Details
When you use a sponsored user for an EC2 test day the sponsor will send you a access key ID and a secret access key that the euca2ools command line suite will use to access EC2 during the test day. To test Fedora EC2 images, follow along with the Getting Started with Fedora on EC2 section of the EC2 Primer, using the credentials you received in place of those that the guide asks you to fetch from Amazon's website. With these credentials you do not need to create your own AWS account.
Please be sure to clean up when you finish by deleting any keypairs you created and terminating any instances you started. EC2's access controls are not yet fine enough to prevent you from terminating other people's instances, so please be careful when doing so.
Using the AWS Console
If the sponsor also sent you a username and password, you can use those to log into the AWS Console on the web instead of using command line tools. Ask your sponsor for the web address to which you should go to log in.