AWS Credentials for EC2 Auto Discovery

According to the Hazelcast Guide , in order to use EC2 auto-discovery, the AWS credentials must be provided in the config file. Instead of using long-term access keys, it is possible for Hazelcast to obtain temporary credentials when hosted on an EC2 instance running in an IAM role (following AWS best practice "Use temporary security credentials (IAM roles) instead of long-term access keys" )

+3


source to share


2 answers


It took me a while to find the information I needed when I did this. And honestly, explicitly specifying IP addresses works just as well as long as your cluster has hundreds of nodes to type all of them manually.

The AWS name / character pair is optional. I'm a little paranoid. I may mistakenly join another clan and it is always better to explicitly create such a resource group (server).

First, you need to create an IAM user with the minimum permissions Hazelcast requires. Obviously, you don't want to use your root user credentials for this.

Use the AWS Console. It's in your username dropdown (where your account settings are) in the top right corner. Click on Security Credentials, then Groups. Create a group with the following policy:



{
  "Version": "xxxxxxx",
  "Statement": [
    {
      "Sid": "xxxxxx",
      "Effect": "Allow",
      "Action": [
        "ec2:DescribeInstances"
      ],
      "Resource": [
        "*"
      ]
    }
  ]
}

      

As you can see, the only permission that Hazelcast requires is "DescribeInstances". I found this by accident - deep inside one of Fuad Malikov's Q&A Threads.

The rest is trivial. Create an IAM user for example. "hazelcast" with this security group and load (export) your credentials, which you must add to your Hazelcast configuration as shown below. I'm using Spring, but there is a one-to-one mapping to the classic Hazelcast config file. Or, you can set these properties programmatically - which is essentially Spring for me.

<property name="properties">
  <props>
      <prop key="hazelcast.icmp.enabled">true</prop>
  </props>
</property>
<property name="join">
    <bean class="com.hazelcast.config.JoinConfig">
        <property name="multicastConfig">
            <bean class="com.hazelcast.config.MulticastConfig">
                <property name="enabled" value="false"/>
            </bean>
        </property>
        <property name="tcpIpConfig">
            <bean class="com.hazelcast.config.TcpIpConfig">
                <property name="enabled" value="false"/>
            </bean>    
        </property>
        <property name="awsConfig">
            <bean class="com.hazelcast.config.AwsConfig">
                <property name="enabled" value="true"/>
                <property name="region" value="us-west-2"/>
                <property name="accessKey" value="zzzzzzz"/>
                <property name="secretKey" value="yyyyyyy"/>
                <property name="tagKey" value="your-instance-tag-key"/>
                <property name="tagValue" value="your-instance-tag-value"/>
            </bean>
        </property>
</property>

      

+4


source


Currently Hazelcast does not yet support IAM role authentication, but this is planned to be implemented once the new discovery SPI opens.



0


source







All Articles