How do I use an IAM role to configure fence_aws instead of access_key and secret_key?
Environment
- Red Hat Enterprise Linux 7.6 or later (with the High Availability Add-on)
- Red Hat Enterprise Linux 8 (with the High Availability Add-on)
Issue
- Is there a more secure alternative to storing an AWS access key and secret key in
~/.aws/credentials?
Resolution
Important: If IMDSv2 is required for the EC2 instances in the cluster, then refer to the following solution: fence_aws, AWS resource agents, and AWS CLI commands time out when IMDSv2 is required. You may need to use a later package version.
Attach an IAM role, with the necessary permissions to reboot a VM, to each EC2 instance in the cluster. There is no special configuration required within the VM to allow fence_aws to use the role; the role will be used automatically if credentials are not specified explicitly. Steps for configuring the IAM role are discussed in below AWS documentation:
-
Please Note: The below document and information included there is provided by a 3rd party vendor. Please reach out directly to Amazon if any assistance is needed for the contents of this article:
The AWS region still needs to be specified, even though the --access-key and --secret-key options are not required when a role is used for authorization.
In fence-agents-aws versions prior to the patch, the --region option is ignored unless the --access-key and --secret-key options are also used. In that case, the region can be specified in ~/.aws/config:
# cat ~/.aws/config
[default]
region = us-west-2
# fence_aws -o status -n <instance> -v
...
2019-09-19 04:14:51,891 DEBUG: Loading variable region from config file with value 'us-west-2'.
...
2019-09-19 04:14:51,905 DEBUG: Found credentials from IAM Role: power-user-role
...
Status: ON
In the fence-agents-aws versions with the patch (listed in the section below ), the --region option can be specified at the command line without specifying --access-key and --secret-key. Equivalently, in the versions listed below, you can configure a stonith device with region=<region> without configuring the access_key and secret_key options.
# fence_aws -o status -n <instance> --region us-west-2 -v
...
2019-09-19 04:23:38,570 DEBUG: Looking for credentials via: iam-role
2019-09-19 04:23:38,574 INFO: Starting new HTTP connection (1): 169.254.169.254
2019-09-19 04:23:38,575 DEBUG: "GET /latest/meta-data/iam/security-credentials/ HTTP/1.1" 200 21
2019-09-19 04:23:38,576 INFO: Starting new HTTP connection (1): 169.254.169.254
2019-09-19 04:23:38,577 DEBUG: "GET /latest/meta-data/iam/security-credentials/power-user-role HTTP/1.1" 200 1298
2019-09-19 04:23:38,578 DEBUG: Found credentials from IAM Role: power-user-role
...
Status: ON
# pcs stonith create awsfence fence_aws region=us-west-2 <other_options>
Red Hat Enterprise Linux 7
Red Hat Enterprise Linux 7.6
This feature has been added in [`fence-agents-aws-4.2.1-11.el7_6.9`](/errata/RHBA-2020:2292).
Red Hat Enterprise Linux 7.7
This feature has been added in [`fence-agents-aws-4.2.1-24.el7_7.1`](/errata/RHBA-2020:2532).
Red Hat Enterprise Linux 7.8
This feature has been added in [`fence-agents-4.2.1-30.el7_8.1`](/errata/RHBA-2020:2657).
Red Hat Enterprise Linux 7.9
This feature has been added in [`fence-agents-4.2.1-41.el7`](/errata/RHBA-2020:3850).
Red Hat Enterprise Linux 8
Red Hat Enterprise Linux 8.3
This feature has been added in [`fence-agents-4.2.1-53.el8`](/errata/RHBA-2020:4622).
Red Hat Enterprise Linux 8.4 or later
This feature is supported.
This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.