resource "aws_iam_role" "ssm_access" {
name = "ssm_access"
assume_role_policy = jsonencode({
Version = "2012-10-17"
Statement = [
{
Action = "sts:AssumeRole"
Effect = "Allow"
Sid = ""
Principal = {
Service = "ec2.amazonaws.com"
}
},
]
})
}
data "aws_iam_policy" "ssm_policy" {
arn = "arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore"
}
resource "aws_iam_role_policy_attachment" "ssm-role-policy-attach" {
role = resource.aws_iam_role.ssm_access.name
policy_arn = data.aws_iam_policy.ssm_policy.arn
}
resource "aws_instance" "jenkins_master" {
...
iam_instance_profile = aws_iam_role.ssm_access.name
...
}
GEKO_ACCOUNT_ID="1111111"
DEST_ACCOUNT_ID="222222222"
DEST_ASSUMED_ROLE="GekoRole"
aws sts assume-role \
--role-arn "arn:aws:iam::${GEKO_ACCOUNT_ID}:role/Role" \
--role-session-name awscli-session
export $(printf "AWS_ACCESS_KEY_ID=%s AWS_SECRET_ACCESS_KEY=%s AWS_SESSION_TOKEN=%s" \
$(aws sts assume-role \
--role-arn arn:aws:iam::${DEST_ACCOUNT_ID}:role/${DEST_ASSUMED_ROLE} \
--role-session-name user \
--query "Credentials.[AccessKeyId,SecretAccessKey,SessionToken]" \
--output text))
DEPLOY_ROLE="arn:aws:iam::1111111:role/role" aws sts assume-role --role-arn "$DEPLOY_ROLE" --role-session-name test > tmpfile
export AWS_ACCESS_KEY_ID=$(cat tmpfile | jq -c '.Credentials.AccessKeyId' | tr -d ") export AWS_SECRET_ACCESS_KEY=$(cat tmpfile | jq -c '.Credentials.SecretAccessKey' | tr -d ") export AWS_SESSION_TOKEN=$(cat tmpfile | jq -c '.Credentials.SessionToken' | tr -d ")
regionID="eu-west-1"
aws_account_id="111111"
aws ecr get-login-password --region $(regionID) | docker login --username AWS --password-stdin $(aws_account_id).dkr.ecr.$(regionID).amazonaws.com
aws iam list-entities-for-policy --policy-arn <arn_of_policy> [--entity-filter Role]
curl 169.254.170.2$AWS_CONTAINER_CREDENTIALS_RELATIVE_URI
Ejemplo para el acceso a una RDS privada (my_rds.eu-west-1.rds.amazonaws.com) mediante un portforwarding en una bastion EC2 linux (i-1111111111111111) usando el profile indicado (substituir %PROFILE% por aoc-valid-dev por ejemplo):
export AWS_PROFILE="%PROFILE%" aws ssm start-session --target i-1111111111111111 --document-name AWS-StartPortForwardingSessionToRemoteHost --parameters "portNumber"=["5432"],"host"=["my_rds.eu-west-1.rds.amazonaws.com"],"localPortNumber"=["5432"] --region eu-west-1
CPU value | Memory value (MiB) |
---|---|
256 (.25 vCPU) | 512 (0.5GB), 1024 (1GB), 2048 (2GB) |
512 (.5 vCPU) | 1024 (1GB), 2048 (2GB), 3072 (3GB), 4096 (4GB) |
1024 (1 vCPU) | 2048 (2GB), 3072 (3GB), 4096 (4GB), 5120 (5GB), 6144 (6GB), 7168 (7GB), 8192 (8GB) |
2048 (2 vCPU) | Between 4096 (4GB) and 16384 (16GB) in increments of 1024 (1GB) |
4096 (4 vCPU) | Between 8192 (8GB) and 30720 (30GB) in increments of 1024 (1GB) |
output "secrets_arn" { value = (var.secrets != {}) ? one(aws_secretsmanager_secret_version.this[*].arn) : null }