Make Amazon EC2 control go faster
Do you run enough EC2 systems to care about the time it takes to start one or check its status, but not enough to justify an account at Scalr or RightScale to manage them? Do you care about automating instance management? Are you working in a team where several people need to provision or access servers? If so, consider this quickstart to a better way of setting up you cluster. Apologies for the acronym soup - blame Amazon Web Services for that.
- Turn on IAM for your AWS account, so that you can create an account for every team member separately. While you're there, I'd also recommend you turn on Multi Factor Authentication (MFA) for each account. You can use Google Authenticator (Android or iPhone) to provide you the MFA tokens, even if you're not securing your Google account with it. Thanks, Tuomo, for pointing that out, I had thought MFA depended on keyfob tokens.
- Don't leave IAM yet. Go to the Roles tab and create a new Role (I call mine InstanceManager) with a Power User Access policy template.
- Move on to the EC2 management console and create a new instance. It has to be a new one, you can't associate this awesome power with anything you have already. For practice, use the Quick Launch Wizard -- I'll go through this step by step.
- Name your instance. I call mine Master. Lets assume you already have a Key Pair you know how to use with EC2. Choose that.
- Choose the Amazon Linux AMI 2012.03 as your launch config. Hey, it's a decent OS, and if you like Ubuntu better, you can repeat this with your favorite AMI later once you know how it works.
- Choose Edit details on the next page of the wizard. We'll do changes in several places.
- Make the Type t1.micro, you don't want to do much more than manage other instances on this one so it doesn't need a lot of oomph. I would recommend turning on Termination Protection to avoid a silly mistake later on.
- Tag it like you wish
- If you're using Security Groups (warmly recommended!), choose one which has access to your other servers.
- Here's the important bit: on the Advanced Details tab, choose the IAM role you created earlier (InstanceManager, if you followed my naming).
- No need to change anything in the Storage config. Click Save details, then Launch.
The instance will come up like any other, you'll probably know how that works. If you're used to something else than Amazon Linux, this one expects you to log in as ec2-user, and you can sudo from there to root. Set up your own account and secure the box to your best effort, since this one holds the keys to everything you're running on EC2.
Now, why did we do all this?
- Log in. With a regular account, no root, no keys copied from anywhere else.
ec2-describe-instancesto the shell.
- Witness a) fast response b) with all your instances listed. a) comes from running inside the AWS data center, and b) is the IAM Role magic.
- Rejoice how your teammates will not need to manage their own access secrets. You did secure the master account and SSH to this box, right?
- Try to launch something else. Yup, it all works.
Setting up the IAM Role and associating one to an instance through the command line is somewhat more involved, so this is much easier to do from the web console as above. The IAM docs do tell how, but I wasted an hour or two getting my head wrapped around why the console talked of roles, but the API and command line needed profiles (answer: the console hides the profiles beneath defaults). If you wish to have your own applications manage pieces of the AWS infrastructure, and hate the hoops you have to jump through to pass the required access keys around, IAM Roles are what you're looking for, and you'll want to read up on the API in a bit more detail. Now you've been introduced.