How to avoid storing access credentials on your Cloud Access Server for AWS
Storing access credentials in plain text on the Cloud Access Server, is always a slightly insecure way of handling credentials, and should be avoided whenever there is a way.
Luckily AWS provides such a mechanism and you are encouraged to take advantage of this feature for all your AWS accounts that you want to link to your Hybrid Cloud at xPlore.Cloud. You can learn more about this AWS feature here.
In this blog post I am going to show you how to do this in a few easy steps.
Step 1: Log into your AWS console, head over to the IAM console, click on Roles in the left panel and then click on the Create Role button.
Step 2: On the Create Role screen, Select AWS Service for type of trusted entityand EC2 for the service that will use this role, then scroll down and choose EC2for your use case. Then click Next:Permission button in the bottom right.
Fig 1: Select AWS Service for type of trusted entity and EC2 for the service that will use this role
Fig 2: Scroll down and choose EC2 for your use case
Step 3: In the search box, start typing PowerUser, from the filtered list that appears below, check the checkbox against the entry PowerUserAccess and click the Next:Review button in the bottom right.
Fig 3: Check the checkbox against the entry PowerUserAccess
Step 4: Provide a meaningful name to the role, e.g. xploreCloudAccessServer, optionally write a description and click the Create role button in the bottom right. This should create the role for you and you should be able to see it in the list on the next page.
Fig 4: You should be able to see the newly created Role in the list on the next page
Step 5: Now head over to the EC2 console, select the US West (Oregon) region from the Regions dropdown at the top-right and click on the Launch instance button.
Step 6: Click on the Community AMIs tab on the left panel and in the search box type in xplore.cloudaccess and press enter. You should get only one AMI back and its name should of the form xPlore.CloudAccessServer-Ver-x-y-z, where x, y and z would be numbers, e.g. xPlore.CloudAccessServer-Ver-1.2.0. Click Select for this one. On the next screen, select the instance type you want to launch and click Review and Launchbutton in the bottom right.
Step 7: On the review screen, setup proper security group, give the server a meaningful name tag from the Tags section and the click on the Edit instance details link on the right. On this form, for the field IAM role, select the role you just created. Then click Launch.
Fig 5: For the field IAM role, select the role you just created
And that is all to it!
From this server, the CAS code will be able to access the AWS API endpoints and run commands without having to send any credentials at all.