[AWS] IAM 계정에서 EC2 CLI 사용하기

AWS CLI(Command Line Interface)를 사용하기 위해서는 account credentials 이 필요하다.

• access keys
• X.509 certificates
• key pairs

필요한 타입은 API group마다 다른데, 문제는 certificate x.509가 IAM user page에서는 구할 수 없다.


If a user needs a signing certificate (for example, to use the Amazon EC2 command line tools), you first must obtain a signing certificate and then upload it to the IAM system. IAM doesn't have an API action to create signing certificates, so you must use a third-party tool such as OpenSSL to create the certificate first.

User Credentials

By default, a user has no security credentials. You create security credentials for your users as needed. The type of credentials a user needs depends on how the user will access AWS.

Secret Access Keys and Access Key IDs

To make API calls or to work with the command line interface, the user needs a Secret Access Key and Access Key ID. The IAM API and command line interface provide actions that create these for a user. You can give your users permission to create and manage their own credentials if you like, or you can have an administrators group in your organization handle this. For more information about creating keys for a user, see Adding a New User to Your AWS Account.

X.509 Certificates

Another type of credential a user might have is an X.509 certificate (referred to here as a signing certificate) and corresponding certificate ID. Some AWS products use this instead of a Secret Access Key for access to certain interfaces. For example, Amazon EC2 uses a Secret Access Key for access to its Query interface, but it uses a signing certificate for access to its SOAP interface and command line tool interface.
Although you can use IAM to create an access key, you can't use IAM to create a signing certificate. However, you can use free third-party tools such as OpenSSL to create the certificate. (For information about OpenSSL, go to http://www.openssl.org/.) After you have the signing certificate, you must upload it to IAM; the user needs to keep the corresponding private key to use for signing requests. You can use IAM to upload the certificate. For more information about using signing certificates, see Managing User Keys and Certificates.

Important

For security purposes, we recommend that you rotate your users' credentials on a regular basis. A user can have multiple access keys or signing certificates at a given time for this purpose. For more information, see Rotating Credentials.

References

• http://stackoverflow.com/questions/8995304/how-to-download-an-ec2-x-509-certificate-with-an-iam-user-account
• http://docs.amazonwebservices.com/IAM/latest/UserGuide/IAM_Concepts.html#IAM_SecurityCredentials
• http://docs.amazonwebservices.com/IAM/latest/UserGuide/Using_UploadCertificate.html