Scenario:
You want to set up an application running on Amazon Elastic Compute Cloud (EC2) to be able to publish messages to Amazon Simple Notification Service (SNS) topic without hardcoding AWS access key & secret access key.
Solution:
You can use an IAM role to grant the EC2 instance necessary permissions to publish messages to SNS topic.
To set this up, you would create an IAM role with permissions to publish to Amazon Simple Notification Service (SNS) topic and then attach the role to Amazon Elastic Compute Cloud (EC2), EC2 instance can then use the role's temporary security credentials to publish messages to the SNS topic.
Once the CLI is configured, you can create an IAM policy using create-policy command. For example, to create a policy called sns-publish-policy.json with permission to publish messages to a specific topic, you might use a command like this:
aws iam create-policy --policy-name sns-publish-msg-policy --policy-document file://sns-publish-policy.json
The sns-publish-policy.json file in this example would contain a JSON document describing the permissions that you want to grant to role. You can find more information on creating policy documents at Policies and permissions in IAM. Here's an example policy document that would allow the policy to publish messages in an SNS topic called my-sns-topic:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "sns:Publish",
"Resource": "arn:aws:sns:us-east-2:642434777320:my-sns-topic"
}
]
}
Create a policy which is a JSON file that defines the trust relationship of the IAM role here we are creating an ec2-assume-policy.json file which would contain a JSON document describing the permissions that you want to grant to the role.
Here is an example policy document that would allow the role to be assumed by EC2 instances:
{
"Version": "2012-10-17",
"Statement": [{
"Effect": "Allow",
"Principal": {
"Service": "ec2.amazonaws.com"
},
"Action": "sts:AssumeRole"
}]
}
Once the trust policy has been created, you can create an IAM role using the create-role command. you can create an IAM Role using the 'create-role' command from AWS-CLI-create-role-command-docs
aws iam create-role --role-name EC2RoleToPublishMessage --assume-role-policy-document file://ec2-assume-policy.json
Once role has been created, you can attach it to an EC2 Instance using attach-role-policy command as seen below.
aws iam attach-role-policy --role-name EC2RoleToPublishMessage --policy-arn "arn:aws:iam::642434777320:policy/sns-publish-msg-policy"
firstly, call create-instance-profile cli-command followed by add-role-to-instance-profile command to create IAM Instance profile EC2RoleToAccessSNSInstProfile
aws iam create-instance-profile --instance-profile-name EC2RoleToAccessSNSInstProfile
aws iam add-role-to-instance-profile --role-name EC2RoleToPublishMessage --instance-profile-name EC2RoleToAccessSNSInstProfile
Finally, attach the IAM role to an existing EC2 instance that was originally launched without an IAM role using the associate-iam-instance-profile command to attach the instance profile EC2RoleToAccessSNSInstProfile for the newly created IAM Role, EC2RoleToPublishMessage. For example:
aws ec2 associate-iam-instance-profile --instance-id i-04c85291954fe6e5f --iam-instance-profile Name=EC2RoleToAccessSNSInstProfile
After performing all these steps, EC2 instance will be associated using given IAM Role, and now EC2 instance will have necessary permissions to publish messages to the SNS topic through IAM role.
Below is the SNS topic from which messages will be published.
Remove access and secret access keys from EC2 Instance by removing contents from ./aws/config and /.aws/credentials files, and then check the error that we will be getting for now & please remember that while using the AWS-CLI commands use the --region parameter and mention the region where resources are deployed.
aws sns publish --region us-east-2 --topic-arn "arn:aws:sns:us-east-2:642434777320:my-sns-topic" --message "Hello World, Let's Learn IAM"
After running above command, we are getting MessageId as response which means message is published from the SNS topic successfully.
References: