Managing Access for Cloud Automation

When setting up your automation tools to leverage the OUTSCALE Cloud, you will face a decision: "Should I let my Access and Secret Key out there?" The short answer is: No.

You might need a "Master" virtual machine (VM) that controls the state of your VMs, and decides to start, reboot or shutdown any other VM. This topic does not explain how to setup a command center, but how to manage access through our Elastic Identity Management (EIM) service.


In this example, we use a common use case where you need to monitor the state of your VMs. The goal is to create an EIM profile with its own access keys for your automation tool, that enables it to only perform the required actions.

In this example, we will:

  1. Create a group of users.

  2. Create the adequate policy for this group.

  3. Create a user.

  4. Generate a pair of access key and secret key, that will be set for the VM and the program that will interact with our APIs to manage your infrastructure.


Use your EIM connector (CLI, Boto). In this example, we use boto2.

Create your group

>> outscale_eim.create_group('monitoring')
{u'create_group_response': {u'response_metadata': {u'request_id': u'6cc10aae-69fe-41f2-9c0a-540d3024f1e1'}, u'create_group_result': {u'group': {u'path': u'/', u'group_id': u'T9UIPLKTDAHJI0WBI55O1XSZR90XHVR', u'create_date': u'2017-02-08T14:11:46.463Z', u'arn': u'arn:aws:iam::209064296596:group/monitoring', u'group_name': u'monitoring'}}}}

Create an EIM policy document

In this example, the policy document allows Describe calls in FCU and LBU services:

>> policy_monitor = {"Statement": [{"Action": ["ec2:Describe*", "elasticloadbalancing:Describe*"], "Effect": "Allow", "Resource": ["*"]}]}
>> outscale_eim.create_policy('monitoring', json.dumps(policy_monitor), '/', 'Allow describe for every item')
{u'create_policy_response': {u'create_policy_result': {u'policy': {u'update_date': u'2017-02-08T14:28:09.565Z', u'create_date': u'2017-02-08T14:28:09.565Z', u'is_attachable': u'true', u'policy_name': u'monitoring', u'default_version_id': u'v1', u'attachment_count': u'0', u'path': u'/', u'arn': u'arn:aws:iam::209064296596:policy/monitoring', u'policy_id': u'2LDQ6L9JTIHUM2JFTT11T85NNNC6BSI'}}, u'response_metadata': {u'request_id': u'269c7cd1-ff75-45c0-afe3-9f76f5bdb693'}}}

Attach the policy to the group

>> outscale_eim.attach_group_policy('arn:aws:iam::209064296596:policy/monitoring', 'monitoring')
{u'attach_group_policy_response': {u'response_metadata': {u'request_id': u'f8b26057-dc3b-435e-b73d-85e5ef07b08d'}}}

Create your user

>> outscale_eim.create_user('watcher_1')
{u'create_user_response': {u'create_user_result': {u'user': {u'path': u'/', u'create_date': u'2017-02-08T14:29:16.213Z', u'user_name': u'watcher_1', u'arn': u'arn:aws:iam::209064296596:user/watcher_1', u'user_id': u'QAMRA41689OVGBITFKNCUS7VTUS7JKE'}}, u'response_metadata': {u'request_id': u'bef67fbf-7303-421c-a570-8765a424883a'}}}

Add your user to the group

>> outscale_eim.add_user_to_group('monitoring', 'watcher_1')
{u'add_user_to_group_response': {u'response_metadata': {u'request_id': u'b7c5e54d-113a-4c63-ac86-3dbb8066c1c8'}}}

Generate access keys for your user

>> outscale_eim.create_access_key('watcher_1')
{u'create_access_key_response': {u'create_access_key_result': {u'access_key': {u'status': u'Active', u'secret_access_key': u'68LYVK40JWRRUUZ1JNTB2EBRNSCH1QE8NXGPAHIM', u'create_date': u'2017-02-08T14:34:13.119Z', u'user_name': u'orn:ows:idauth::209064296596:user/watcher_1', u'access_key_id': u'CM3UAWFMD2WRN4XEAU01'}}, u'response_metadata': {u'request_id': u'ad7b8a9d-34a6-4436-b2c9-a1abd0ab455a'}}}

You now have a set of access key and secret key that can be used by your script to check the state of your infrastructure. We recommend to use these access keys for this purpose only.

Related Page