When setting up your automation tools to leverage the OUTSCALE Cloud, you will face a decision: "Should I let my Access and Secret Key out there?" The short answer is: No.

You might need a "Master" instance that controls the state of your instances, and decides to start, reboot or shutdown any other instance. This topic does not explain how to setup a command center, but how to manage access through our Elastic Identity Management (EIM) service.

Principles

In this example, we use a common use case where you need to monitor the state of your instances. The goal is to create an EIM profile with its own access keys for your automation tool, that enables it to only perform the required actions.

In this example, we will:

  1. Create a group of users.
  2. Create the adequate policy for this group.
  3. Create a user.
  4. Generate a pair of access key and secret key, that will be set for the instance and the program that will interact with our APIs to manage your infrastructure.


Example

Use your EIM connector (CLI, Boto). In this example, we use boto2.


Create your group

command
>> outscale_eim.create_group('monitoring')


output
{u'create_group_response': {u'response_metadata': {u'request_id': u'6cc10aae-69fe-41f2-9c0a-540d3024f1e1'}, u'create_group_result': {u'group': {u'path': u'/', u'group_id': u'T9UIPLKTDAHJI0WBI55O1XSZR90XHVR', u'create_date': u'2017-02-08T14:11:46.463Z', u'arn': u'arn:aws:iam::209064296596:group/monitoring', u'group_name': u'monitoring'}}}}


Create an EIM policy document

In this example, the policy document allows Describe calls in FCU and LBU services:

commands
>> policy_monitor = {"Statement": [{"Action": ["ec2:Describe*", "elasticloadbalancing:Describe*"], "Effect": "Allow", "Resource": ["*"]}]}
>> outscale_eim.create_policy('monitoring', json.dumps(policy_monitor), '/', 'Allow describe for every item')


output
{u'create_policy_response': {u'create_policy_result': {u'policy': {u'update_date': u'2017-02-08T14:28:09.565Z', u'create_date': u'2017-02-08T14:28:09.565Z', u'is_attachable': u'true', u'policy_name': u'monitoring', u'default_version_id': u'v1', u'attachment_count': u'0', u'path': u'/', u'arn': u'arn:aws:iam::209064296596:policy/monitoring', u'policy_id': u'2LDQ6L9JTIHUM2JFTT11T85NNNC6BSI'}}, u'response_metadata': {u'request_id': u'269c7cd1-ff75-45c0-afe3-9f76f5bdb693'}}}

Attach the policy to the group

command
>> outscale_eim.attach_group_policy('arn:aws:iam::209064296596:policy/monitoring', 'monitoring')


output
{u'attach_group_policy_response': {u'response_metadata': {u'request_id': u'f8b26057-dc3b-435e-b73d-85e5ef07b08d'}}}

Create your user

command
>> outscale_eim.create_user('watcher_1')


output
{u'create_user_response': {u'create_user_result': {u'user': {u'path': u'/', u'create_date': u'2017-02-08T14:29:16.213Z', u'user_name': u'watcher_1', u'arn': u'arn:aws:iam::209064296596:user/watcher_1', u'user_id': u'QAMRA41689OVGBITFKNCUS7VTUS7JKE'}}, u'response_metadata': {u'request_id': u'bef67fbf-7303-421c-a570-8765a424883a'}}}

Add your user to the group

command
>> outscale_eim.add_user_to_group('monitoring', 'watcher_1')


output
{u'add_user_to_group_response': {u'response_metadata': {u'request_id': u'b7c5e54d-113a-4c63-ac86-3dbb8066c1c8'}}}


Generate access keys for your user

command
>> outscale_eim.create_access_key('watcher_1')


output
{u'create_access_key_response': {u'create_access_key_result': {u'access_key': {u'status': u'Active', u'secret_access_key': u'68LYVK40JWRRUUZ1JNTB2EBRNSCH1QE8NXGPAHIM', u'create_date': u'2017-02-08T14:34:13.119Z', u'user_name': u'orn:ows:idauth::209064296596:user/watcher_1', u'access_key_id': u'CM3UAWFMD2WRN4XEAU01'}}, u'response_metadata': {u'request_id': u'ad7b8a9d-34a6-4436-b2c9-a1abd0ab455a'}}}


You now have a set of access key and secret key that can be used by your script to check the state of your infrastructure. We recommend to use these access keys for this purpose only.



AWS™ and Amazon Web Services™ are trademarks of Amazon Technologies, Inc or its affiliates in the United States and/or other countries.