From 03282a47ea69f4ffa65b8f0213e5e87d9eaf2acd Mon Sep 17 00:00:00 2001 From: Jason Sherman Date: Mon, 20 Mar 2017 10:01:35 -0500 Subject: [PATCH 1/3] Don't Repeat Yourself. --- ebs-snapshot.sh | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/ebs-snapshot.sh b/ebs-snapshot.sh index 89c9b64..64ffff7 100644 --- a/ebs-snapshot.sh +++ b/ebs-snapshot.sh @@ -27,9 +27,12 @@ set -o pipefail ## Variable Declartions ## +# This URI is the same everywhere. Keep it DRY. +latest_metadata=http://169.254.169.254/latest/meta-data/ + # Get Instance Details -instance_id=$(wget -q -O- http://169.254.169.254/latest/meta-data/instance-id) -region=$(wget -q -O- http://169.254.169.254/latest/meta-data/placement/availability-zone | sed -e 's/\([1-9]\).$/\1/g') +instance_id=$(wget -q -O- ${latest_metadata}instance-id) +region=$(wget -q -O- ${latest_metadata}placement/availability-zone | sed -e 's/\([1-9]\).$/\1/g') # Set Logging Options logfile="/var/log/ebs-snapshot.log" From 2c8df85fb798a1e3b15dcaaad0c713415bf94dfd Mon Sep 17 00:00:00 2001 From: Jason Sherman Date: Mon, 20 Mar 2017 11:20:25 -0500 Subject: [PATCH 2/3] Use IAM machine role. --- ebs-snapshot.sh | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/ebs-snapshot.sh b/ebs-snapshot.sh index 64ffff7..c0c3d23 100644 --- a/ebs-snapshot.sh +++ b/ebs-snapshot.sh @@ -33,6 +33,12 @@ latest_metadata=http://169.254.169.254/latest/meta-data/ # Get Instance Details instance_id=$(wget -q -O- ${latest_metadata}instance-id) region=$(wget -q -O- ${latest_metadata}placement/availability-zone | sed -e 's/\([1-9]\).$/\1/g') +iam_role=$(wget -q -O- ${latest_metadata}iam/security-credentials/) + +# Get rolling credentials for machine role +export AWS_ACCESS_KEY_ID=$(wget -q -O- ${latest_metadata}iam/security-credentials/${iam_role} | grep "AccessKeyId" | cut -d ":" -f 2 | tr "," " " | tr -d '"') +export AWS_SECRET_ACCESS_KEY=$(wget -q -O- ${latest_metadata}iam/security-credentials/${iam_role} | grep "SecretAccessKey" | cut -d ":" -f 2 | tr "," " " | tr -d '"') +export AWS_SECURITY_TOKEN=$(wget -q -O- ${latest_metadata}iam/security-credentials/${iam_role} | grep "Token" | cut -d ":" -f 2 | tr "," " " | tr -d '"') # Set Logging Options logfile="/var/log/ebs-snapshot.log" From f59bd2b60fa1b61b5a0db44490f4990225d1e8a2 Mon Sep 17 00:00:00 2001 From: Jason Sherman Date: Mon, 20 Mar 2017 11:41:19 -0500 Subject: [PATCH 3/3] Only export rolling credentials if the instance actually has a role. --- ebs-snapshot.sh | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/ebs-snapshot.sh b/ebs-snapshot.sh index c0c3d23..66af16e 100644 --- a/ebs-snapshot.sh +++ b/ebs-snapshot.sh @@ -35,10 +35,12 @@ instance_id=$(wget -q -O- ${latest_metadata}instance-id) region=$(wget -q -O- ${latest_metadata}placement/availability-zone | sed -e 's/\([1-9]\).$/\1/g') iam_role=$(wget -q -O- ${latest_metadata}iam/security-credentials/) -# Get rolling credentials for machine role -export AWS_ACCESS_KEY_ID=$(wget -q -O- ${latest_metadata}iam/security-credentials/${iam_role} | grep "AccessKeyId" | cut -d ":" -f 2 | tr "," " " | tr -d '"') -export AWS_SECRET_ACCESS_KEY=$(wget -q -O- ${latest_metadata}iam/security-credentials/${iam_role} | grep "SecretAccessKey" | cut -d ":" -f 2 | tr "," " " | tr -d '"') -export AWS_SECURITY_TOKEN=$(wget -q -O- ${latest_metadata}iam/security-credentials/${iam_role} | grep "Token" | cut -d ":" -f 2 | tr "," " " | tr -d '"') +# Export the rolling credentials for the iam role, if this instance has one. +if [ -n "$iam_role" ]; then + export AWS_ACCESS_KEY_ID=$(wget -q -O- ${latest_metadata}iam/security-credentials/${iam_role} | grep "AccessKeyId" | cut -d ":" -f 2 | tr "," " " | tr -d '"') + export AWS_SECRET_ACCESS_KEY=$(wget -q -O- ${latest_metadata}iam/security-credentials/${iam_role} | grep "SecretAccessKey" | cut -d ":" -f 2 | tr "," " " | tr -d '"') + export AWS_SECURITY_TOKEN=$(wget -q -O- ${latest_metadata}iam/security-credentials/${iam_role} | grep "Token" | cut -d ":" -f 2 | tr "," " " | tr -d '"') +fi # Set Logging Options logfile="/var/log/ebs-snapshot.log"