Managing Access for Cloud Automation

Cette page est à ce jour disponible en anglais uniquement.

When setting up your automation tools to leverage the 3DS OUTSCALE Cloud, you will face a decision: "Should I let my Access and Secret Key out there?" The short answer is: No.

You might need a "Master" virtual machine (VM) that controls the state of your VMs, and decides to start, reboot or shutdown any other VM. This topic does not explain how to setup a command center, but how to manage access through our Elastic Identity Management (EIM) service.

Principles

In this example, we use a common use case where you need to monitor the state of your VMs. The goal is to create an EIM profile with its own access keys for your automation tool, that enables it to only perform the required actions.

In this example, we will:

  1. Create a group of users.

  2. Create the adequate policy for this group.

  3. Create a user.

  4. Generate a pair of access key and secret key, that will be set for the VM and the program that will interact with our APIs to manage your infrastructure.

Example

Use your EIM connector (CLI, Boto). In this example, we use boto2.

Create your group

command
>> outscale_eim.create_group('monitoring')
output
{u'create_group_response': {u'response_metadata': {u'request_id': u'6cc10aae-69fe-41f2-9c0a-540d3024f1e1'}, u'create_group_result': {u'group': {u'path': u'/', u'group_id': u'T9UIPLKTDAHJI0WBI55O1XSZR90XHVR', u'create_date': u'2017-02-08T14:11:46.463Z', u'arn': u'arn:aws:iam::209064296596:group/monitoring', u'group_name': u'monitoring'}}}}

Create an EIM policy document

In this example, the policy document allows Describe calls in FCU and LBU services:

commands
>> policy_monitor = {"Statement": [{"Action": ["ec2:Describe*", "elasticloadbalancing:Describe*"], "Effect": "Allow", "Resource": ["*"]}]}
>> outscale_eim.create_policy('monitoring', json.dumps(policy_monitor), '/', 'Allow describe for every item')
output
{u'create_policy_response': {u'create_policy_result': {u'policy': {u'update_date': u'2017-02-08T14:28:09.565Z', u'create_date': u'2017-02-08T14:28:09.565Z', u'is_attachable': u'true', u'policy_name': u'monitoring', u'default_version_id': u'v1', u'attachment_count': u'0', u'path': u'/', u'arn': u'arn:aws:iam::209064296596:policy/monitoring', u'policy_id': u'2LDQ6L9JTIHUM2JFTT11T85NNNC6BSI'}}, u'response_metadata': {u'request_id': u'269c7cd1-ff75-45c0-afe3-9f76f5bdb693'}}}

Attach the policy to the group

command
>> outscale_eim.attach_group_policy('arn:aws:iam::209064296596:policy/monitoring', 'monitoring')
output
{u'attach_group_policy_response': {u'response_metadata': {u'request_id': u'f8b26057-dc3b-435e-b73d-85e5ef07b08d'}}}

Create your user

command
>> outscale_eim.create_user('watcher_1')
output
{u'create_user_response': {u'create_user_result': {u'user': {u'path': u'/', u'create_date': u'2017-02-08T14:29:16.213Z', u'user_name': u'watcher_1', u'arn': u'arn:aws:iam::209064296596:user/watcher_1', u'user_id': u'QAMRA41689OVGBITFKNCUS7VTUS7JKE'}}, u'response_metadata': {u'request_id': u'bef67fbf-7303-421c-a570-8765a424883a'}}}

Add your user to the group

command
>> outscale_eim.add_user_to_group('monitoring', 'watcher_1')
output
{u'add_user_to_group_response': {u'response_metadata': {u'request_id': u'b7c5e54d-113a-4c63-ac86-3dbb8066c1c8'}}}

Generate access keys for your user

command
>> outscale_eim.create_access_key('watcher_1')
output
{u'create_access_key_response': {u'create_access_key_result': {u'access_key': {u'status': u'Active', u'secret_access_key': u'68LYVK40JWRRUUZ1JNTB2EBRNSCH1QE8NXGPAHIM', u'create_date': u'2017-02-08T14:34:13.119Z', u'user_name': u'orn:ows:idauth::209064296596:user/watcher_1', u'access_key_id': u'CM3UAWFMD2WRN4XEAU01'}}, u'response_metadata': {u'request_id': u'ad7b8a9d-34a6-4436-b2c9-a1abd0ab455a'}}}

You now have a set of access key and secret key that can be used by your script to check the state of your infrastructure. We recommend to use these access keys for this purpose only.

Related Page