Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update BUILDING.md and PUBLISHING-AWS.md to mention need for aws creds #2334

Merged
merged 1 commit into from
Sep 28, 2022
Merged

Update BUILDING.md and PUBLISHING-AWS.md to mention need for aws creds #2334

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 4 additions & 0 deletions BUILDING.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -154,6 +154,10 @@ cargo make \

To use the image in Amazon EC2, we need to register the image as an AMI.

To do this, you'll need to have your AWS account credentials setup on your system.
There are lots of ways to do this; one method is using [the `aws` CLI](https://aws.amazon.com/cli/) via its `configure` command with your user's access and secret keys.
If you're using an EC2 instance, the [EC2 instance's IAM role](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-roles-for-amazon-ec2.html) will be used automatically if available.

For a simple start, pick an [EC2 region](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-regions-availability-zones.html#concepts-available-regions), then run:

```
Expand Down
5 changes: 5 additions & 0 deletions PUBLISHING-AWS.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -12,6 +12,11 @@ You can also specify this in your `Infra.toml` file:
regions = ["us-west-2", "us-east-1", "us-east-2"]
```

Note: several commands work with AWS services, so there's some shared configuration related to AWS accounts and AWS IAM roles.
For example, you can specify a role to assume before any API calls are made, and a role to assume before any API calls in a specific region.
This can be useful if you want to use roles to control access to the accounts that own AMIs, for example.
See the commented [example Infra.toml](tools/pubsys/Infra.toml.example) for details.
Comment on lines +15 to +18
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Are you just updating the documentation to mention the possibility, or did something in the way the tools behaved suggest that you needed to configure a role to assume?

This is a relatively niche option, intended for the case where an otherwise unprivileged EC2 instance should be assuming roles in the same account, or a different account. Whether it's useful really depends on the scenario and the threat model.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good question: this is mostly mentioning the possibility since I ran into it directly in #2327

But this specific chunk I actually found and copy/pasted from PUBLISHING.md. It seemed like a good chunk to also utilize here in PUBLISHING-AWS.md. I agree, it is a bit of a niche use case, but I wasn't sure if it was common enough for people working on Bottlerocket to also mention here.


If you specify multiple regions, an AMI will be registered in the first region and then copied to the other regions.

After putting this in `Infra.toml`, you can make an AMI more easily:
Expand Down