We have spun up a box with cloudbreak deployer 1.2.1 but we're having some difficulties understanding the way to properly manage AWS credentials.
The docs mention that there are two ways to setup AWS credentials: key-based and role-based (cf. http://sequenceiq.com/cloudbreak-docs/latest/aws/#setup-cloudbreak-deployer ). We prefer role-based as that fits with our usage. However it then says
you need to set your AWS key in the Profile file
…which makes me think that it doesn't use instance profile credentials (http://docs.aws.amazon.com/AWSSdkDocsJava/latest/DeveloperGuide/java-dg-roles.html, option 4). A brief look at the source code indicates that the default Java AWS clients are used which do take advantage of that mechanism. That is, given the instance is already associated with an IAM role no other credentials should be needed.
Am I missing something?
Hi @Vasco Figueira
The role what we using in cloudbreak is not an 'instance profile credential' this role is used for cross account access.
Regarding the 'you need to set your AWS key in the Profile file' these key used for assuming the role on AWS side and nothing else.
I understand that the credentials are for assuming the role. My question is, given the instance where it's running already has that role, should the app not use the instance profile credentials instead of using environment variables?
It is currently not possible with Cloudbreak but I will add this as a feature request and will implement into the next release.
Currently you have to use the way which is mentioned in the documentation.