Not able to use IAM role with knife ec2 command


#1

I am using following version:
knife-ec2-0.8.0
Chef: 11.16.0

The documentation here (https://docs.getchef.com/plugin_knife_ec2.html#id7)
says:
–use-iam-profile
Use the Identity and Access Management (IAM) that is assigned to the
current machine. Default value: false.

But I don’t see this option available in knife ec2 command.

[ec2-user@ip-10-1-0-30 ~]$ knife ec2 server list --use-iam-profile
Error: invalid option: --use-iam-profile
USAGE: knife ec2 server list (options)
-A, --aws-access-key-id KEY Your AWS Access Key ID
–aws-credential-file FILE File containing AWS credentials as
used by aws cmdline tools
-K SECRET, Your AWS API Secret Access Key
–aws-secret-access-key
–availability-zone Show availability zones
-s, --server-url URL Chef Server URL
–chef-zero-host HOST Host to start chef-zero on
–chef-zero-port PORT Port to start chef-zero on
-k, --key KEY API Client Key
–[no-]color Use colored output, defaults to false
on Windows, true otherwise
-c, --config CONFIG The configuration file to use
–defaults Accept default values for all questions
-d, --disable-editing Do not open EDITOR, just accept the
data as is
-e, --editor EDITOR Set the editor to use for interactive
commands
-E, --environment ENVIRONMENT Set the Chef environment (except for
in searches, where this will be flagrantly ignored)
-F, --format FORMAT Which format to use for output
-z, --local-mode Point knife commands at local
repository instead of server
-n, --no-name Do not display name tag in output
-u, --user USER API Client Username
–print-after Show the data after a destructive
operation
–region REGION Your AWS region
-t, --tags TAG1,TAG2 List of tags to output
-V, --verbose More verbose output. Use twice for max
verbosity
-v, --version Show chef version
-y, --yes Say yes to all prompts for confirmation
-h, --help Show this message


#2

$ knife ec2 server create --help|grep profile
–iam-profile NAME The IAM instance profile to apply
to this instance.

The help options are going to be specific for the subcommand you’re
executing. “–iam-profile” makes no sense in the context of listing
servers.

  • Julian

On Thu, Oct 23, 2014 at 6:01 AM, Varun Shankar shankarvarun1@gmail.com wrote:

I am using following version:
knife-ec2-0.8.0
Chef: 11.16.0

The documentation here (https://docs.getchef.com/plugin_knife_ec2.html#id7)
says:
–use-iam-profile
Use the Identity and Access Management (IAM) that is assigned to the current
machine. Default value: false.

But I don’t see this option available in knife ec2 command.

[ec2-user@ip-10-1-0-30 ~]$ knife ec2 server list --use-iam-profile
Error: invalid option: --use-iam-profile
USAGE: knife ec2 server list (options)
-A, --aws-access-key-id KEY Your AWS Access Key ID
–aws-credential-file FILE File containing AWS credentials as used
by aws cmdline tools
-K SECRET, Your AWS API Secret Access Key
–aws-secret-access-key
–availability-zone Show availability zones
-s, --server-url URL Chef Server URL
–chef-zero-host HOST Host to start chef-zero on
–chef-zero-port PORT Port to start chef-zero on
-k, --key KEY API Client Key
–[no-]color Use colored output, defaults to false
on Windows, true otherwise
-c, --config CONFIG The configuration file to use
–defaults Accept default values for all questions
-d, --disable-editing Do not open EDITOR, just accept the
data as is
-e, --editor EDITOR Set the editor to use for interactive
commands
-E, --environment ENVIRONMENT Set the Chef environment (except for in
searches, where this will be flagrantly ignored)
-F, --format FORMAT Which format to use for output
-z, --local-mode Point knife commands at local
repository instead of server
-n, --no-name Do not display name tag in output
-u, --user USER API Client Username
–print-after Show the data after a destructive
operation
–region REGION Your AWS region
-t, --tags TAG1,TAG2 List of tags to output
-V, --verbose More verbose output. Use twice for max
verbosity
-v, --version Show chef version
-y, --yes Say yes to all prompts for confirmation
-h, --help Show this message


[ Julian C. Dunn jdunn@aquezada.com * Sorry, I’m ]
[ WWW: http://www.aquezada.com/staff/julian * only Web 1.0 ]
[ gopher://sdf.org/1/users/keymaker/ * compliant! ]
[ PGP: 91B3 7A9D 683C 7C16 715F 442C 6065 D533 FDC2 05B9 ]


#3

My workstation is an ec2 instance having an IAM role. I don’t want to keep
EC2 credentials on this instance. Knife ec2 should be able to use the IAM
role attached with the instance. According to the documentation
–use-iam-profile
parameter does exactly that. But it i not working when I try to use the
same.

On Thu, Oct 23, 2014 at 9:08 PM, Julian C. Dunn jdunn@aquezada.com wrote:

$ knife ec2 server create --help|grep profile
–iam-profile NAME The IAM instance profile to apply
to this instance.

The help options are going to be specific for the subcommand you’re
executing. “–iam-profile” makes no sense in the context of listing
servers.

  • Julian

On Thu, Oct 23, 2014 at 6:01 AM, Varun Shankar shankarvarun1@gmail.com
wrote:

I am using following version:
knife-ec2-0.8.0
Chef: 11.16.0

The documentation here (
https://docs.getchef.com/plugin_knife_ec2.html#id7)
says:
–use-iam-profile
Use the Identity and Access Management (IAM) that is assigned to the
current
machine. Default value: false.

But I don’t see this option available in knife ec2 command.

[ec2-user@ip-10-1-0-30 ~]$ knife ec2 server list --use-iam-profile
Error: invalid option: --use-iam-profile
USAGE: knife ec2 server list (options)
-A, --aws-access-key-id KEY Your AWS Access Key ID
–aws-credential-file FILE File containing AWS credentials as
used
by aws cmdline tools
-K SECRET, Your AWS API Secret Access Key
–aws-secret-access-key
–availability-zone Show availability zones
-s, --server-url URL Chef Server URL
–chef-zero-host HOST Host to start chef-zero on
–chef-zero-port PORT Port to start chef-zero on
-k, --key KEY API Client Key
–[no-]color Use colored output, defaults to
false
on Windows, true otherwise
-c, --config CONFIG The configuration file to use
–defaults Accept default values for all
questions
-d, --disable-editing Do not open EDITOR, just accept the
data as is
-e, --editor EDITOR Set the editor to use for
interactive
commands
-E, --environment ENVIRONMENT Set the Chef environment (except
for in
searches, where this will be flagrantly ignored)
-F, --format FORMAT Which format to use for output
-z, --local-mode Point knife commands at local
repository instead of server
-n, --no-name Do not display name tag in output
-u, --user USER API Client Username
–print-after Show the data after a destructive
operation
–region REGION Your AWS region
-t, --tags TAG1,TAG2 List of tags to output
-V, --verbose More verbose output. Use twice for
max
verbosity
-v, --version Show chef version
-y, --yes Say yes to all prompts for
confirmation
-h, --help Show this message


[ Julian C. Dunn jdunn@aquezada.com * Sorry, I’m ]
[ WWW: http://www.aquezada.com/staff/julian * only Web 1.0 ]
[ gopher://sdf.org/1/users/keymaker/ * compliant! ]
[ PGP: 91B3 7A9D 683C 7C16 715F 442C 6065 D533 FDC2 05B9 ]


#4

I think that the docs are ambiguous, but when they say “use”, they mean
"set". That’s why it only applies to instance creation. Saying “the profile
to apply” is clearer about it being a set operation.
On Oct 24, 2014 10:24 PM, “Varun Shankar” shankarvarun1@gmail.com wrote:

My workstation is an ec2 instance having an IAM role. I don’t want to keep
EC2 credentials on this instance. Knife ec2 should be able to use the IAM
role attached with the instance. According to the documentation --use-iam-profile
parameter does exactly that. But it i not working when I try to use the
same.

On Thu, Oct 23, 2014 at 9:08 PM, Julian C. Dunn jdunn@aquezada.com
wrote:

$ knife ec2 server create --help|grep profile
–iam-profile NAME The IAM instance profile to apply
to this instance.

The help options are going to be specific for the subcommand you’re
executing. “–iam-profile” makes no sense in the context of listing
servers.

  • Julian

On Thu, Oct 23, 2014 at 6:01 AM, Varun Shankar shankarvarun1@gmail.com
wrote:

I am using following version:
knife-ec2-0.8.0
Chef: 11.16.0

The documentation here (
https://docs.getchef.com/plugin_knife_ec2.html#id7)
says:
–use-iam-profile
Use the Identity and Access Management (IAM) that is assigned to the
current
machine. Default value: false.

But I don’t see this option available in knife ec2 command.

[ec2-user@ip-10-1-0-30 ~]$ knife ec2 server list --use-iam-profile
Error: invalid option: --use-iam-profile
USAGE: knife ec2 server list (options)
-A, --aws-access-key-id KEY Your AWS Access Key ID
–aws-credential-file FILE File containing AWS credentials as
used
by aws cmdline tools
-K SECRET, Your AWS API Secret Access Key
–aws-secret-access-key
–availability-zone Show availability zones
-s, --server-url URL Chef Server URL
–chef-zero-host HOST Host to start chef-zero on
–chef-zero-port PORT Port to start chef-zero on
-k, --key KEY API Client Key
–[no-]color Use colored output, defaults to
false
on Windows, true otherwise
-c, --config CONFIG The configuration file to use
–defaults Accept default values for all
questions
-d, --disable-editing Do not open EDITOR, just accept the
data as is
-e, --editor EDITOR Set the editor to use for
interactive
commands
-E, --environment ENVIRONMENT Set the Chef environment (except
for in
searches, where this will be flagrantly ignored)
-F, --format FORMAT Which format to use for output
-z, --local-mode Point knife commands at local
repository instead of server
-n, --no-name Do not display name tag in output
-u, --user USER API Client Username
–print-after Show the data after a destructive
operation
–region REGION Your AWS region
-t, --tags TAG1,TAG2 List of tags to output
-V, --verbose More verbose output. Use twice for
max
verbosity
-v, --version Show chef version
-y, --yes Say yes to all prompts for
confirmation
-h, --help Show this message


[ Julian C. Dunn jdunn@aquezada.com * Sorry, I’m ]
[ WWW: http://www.aquezada.com/staff/julian * only Web 1.0 ]
[ gopher://sdf.org/1/users/keymaker/ * compliant! ]
[ PGP: 91B3 7A9D 683C 7C16 715F 442C 6065 D533 FDC2 05B9 ]


#5

I don’t see any ambiguity. According to the docs, server create command
given below takes two options:

knife ec2 server create

–iam-profile NAMEThe name of the Identity and Access Management (IAM)
to apply to this instance.
–use-iam-profileUse the Identity and Access Management (IAM) profile
that is assigned to the current machine.
The first one is the IAM role associated to the node whereas the
second one is the IAM role associated with the workstation. The
problem is that the second option doesn’t work for me. Running “knife
ec2 server create --help” doesn’t even show this option.
So my question is: Is it possible to use the IAM role associated with
the workstation and not keep the EC2 credentials there?

On Sat, Oct 25, 2014 at 6:19 PM, Morgan Blackthorne stormerider@gmail.com
wrote:

I think that the docs are ambiguous, but when they say “use”, they mean
"set". That’s why it only applies to instance creation. Saying “the profile
to apply” is clearer about it being a set operation.
On Oct 24, 2014 10:24 PM, “Varun Shankar” shankarvarun1@gmail.com wrote:

My workstation is an ec2 instance having an IAM role. I don’t want to
keep EC2 credentials on this instance. Knife ec2 should be able to use the
IAM role attached with the instance. According to the documentation --use-iam-profile
parameter does exactly that. But it i not working when I try to use the
same.

On Thu, Oct 23, 2014 at 9:08 PM, Julian C. Dunn jdunn@aquezada.com
wrote:

$ knife ec2 server create --help|grep profile
–iam-profile NAME The IAM instance profile to apply
to this instance.

The help options are going to be specific for the subcommand you’re
executing. “–iam-profile” makes no sense in the context of listing
servers.

  • Julian

On Thu, Oct 23, 2014 at 6:01 AM, Varun Shankar shankarvarun1@gmail.com
wrote:

I am using following version:
knife-ec2-0.8.0
Chef: 11.16.0

The documentation here (
https://docs.getchef.com/plugin_knife_ec2.html#id7)
says:
–use-iam-profile
Use the Identity and Access Management (IAM) that is assigned to the
current
machine. Default value: false.

But I don’t see this option available in knife ec2 command.

[ec2-user@ip-10-1-0-30 ~]$ knife ec2 server list --use-iam-profile
Error: invalid option: --use-iam-profile
USAGE: knife ec2 server list (options)
-A, --aws-access-key-id KEY Your AWS Access Key ID
–aws-credential-file FILE File containing AWS credentials
as used
by aws cmdline tools
-K SECRET, Your AWS API Secret Access Key
–aws-secret-access-key
–availability-zone Show availability zones
-s, --server-url URL Chef Server URL
–chef-zero-host HOST Host to start chef-zero on
–chef-zero-port PORT Port to start chef-zero on
-k, --key KEY API Client Key
–[no-]color Use colored output, defaults to
false
on Windows, true otherwise
-c, --config CONFIG The configuration file to use
–defaults Accept default values for all
questions
-d, --disable-editing Do not open EDITOR, just accept
the
data as is
-e, --editor EDITOR Set the editor to use for
interactive
commands
-E, --environment ENVIRONMENT Set the Chef environment (except
for in
searches, where this will be flagrantly ignored)
-F, --format FORMAT Which format to use for output
-z, --local-mode Point knife commands at local
repository instead of server
-n, --no-name Do not display name tag in output
-u, --user USER API Client Username
–print-after Show the data after a destructive
operation
–region REGION Your AWS region
-t, --tags TAG1,TAG2 List of tags to output
-V, --verbose More verbose output. Use twice
for max
verbosity
-v, --version Show chef version
-y, --yes Say yes to all prompts for
confirmation
-h, --help Show this message


[ Julian C. Dunn jdunn@aquezada.com * Sorry, I’m ]
[ WWW: http://www.aquezada.com/staff/julian * only Web 1.0 ]
[ gopher://sdf.org/1/users/keymaker/ * compliant! ]
[ PGP: 91B3 7A9D 683C 7C16 715F 442C 6065 D533 FDC2 05B9 ]


#6

Hiya,

On Thu, Oct 23, 2014 at 11:01 AM, Varun Shankar shankarvarun1@gmail.com
wrote:

I am using following version:
knife-ec2-0.8.0

knife-ec2 0.8.0 was released on the 10th of March (according to
https://rubygems.org/gems/knife-ec2 ) while the --use-iam-profile feature
was only merged in September (see
https://github.com/opscode/knife-ec2/commit/106ae7eb5e822433569e625cf1ea90d6041d5a0c
). The changelog also shows that this feature is unreleased:
https://github.com/opscode/knife-ec2/blob/master/CHANGELOG.md

So I think the confusion here is that the docs team are doing an awesome
job of keeping on top of changes, and it’s been a long time since we’ve
seen a release of the knife-ec2 plugin.

From the dates, you might be able to try this feature out by installing a
prerelease version of the knife-ec2 gem, but otherwise you’ll need to wait
for the next release.

Zac