Icinga · N-o-X · Aug 13, 2019 · Aug 13, 2019 · Aug 13, 2019
diff --git a/doc/01-Installation-and-Configuration.md b/doc/01-Installation-and-Configuration.md
@@ -24,10 +24,17 @@ Next please download and extract the [latest v2](https://github.com/aws/aws-sdk-
 the AWS PHP SDK [releases](https://github.com/aws/aws-sdk-php/releases) page.
 You need to extract the AWS PHP SDK v2 to `library/vendor/aws`.
 
+AWS IAM role credentials
+------------------------
+
+If you run Icinga Web on AWS you can use IAM roles to allow access. This is the
+default and there is nothing to configure. Select IAM role and configure access
+in AWS itself. 
+
 AWS key configuration
 ---------------------
 
-The last required step is to provide at least one AWS access key in `keys.ini`.
+If you want to use access keys you need to have at least one key in `keys.ini`.
 Create a file `/etc/icingaweb2/modules/aws/keys.ini` as follows:
 
 ```ini

diff --git a/doc/02-Usage.md b/doc/02-Usage.md
@@ -42,11 +42,12 @@ You can choose your AWS region from a dropdown:
 
 ![AWS import source region](img/03_aws_import_region.png)
 
-It is also necessary to choose one of your AWS keys:
+It is also necessary to choose your preferred access method:
 
 ![AWS import source key](img/04_aws_import_source_key.png)
 
-In case this list is empty, please check back to the [Installation and Configuration](01-Installation-and-Configuration.md)
+In case you need a key and this list is empty, please check back to the
+[Installation and Configuration](01-Installation-and-Configuration.md)
 section. Now you are ready to preview and/or run your first import. Don't
 worry, nothing bad will happen. An Import run just imports plain data from
 your import source, it won't touch any of your hosts or services in your

diff --git a/doc/img/02_aws_import_source_basics.png b/doc/img/02_aws_import_source_basics.png
diff --git a/doc/img/03_aws_import_region.png b/doc/img/03_aws_import_region.png
diff --git a/doc/img/04_aws_import_source_key.png b/doc/img/04_aws_import_source_key.png
diff --git a/library/Aws/AwsClient.php b/library/Aws/AwsClient.php
@@ -3,6 +3,8 @@
 namespace Icinga\Module\Aws;
 
 use Aws\Common\Aws;
+use Aws\Common\Credentials\RefreshableInstanceProfileCredentials;
+use Aws\Common\Exception\InstanceProfileCredentialsException;
 use Icinga\Application\Config;
 
 class AwsClient
@@ -13,7 +15,7 @@ class AwsClient
 
     protected $region;
 
-    public function __construct(AwsKey $key, $region)
+    public function __construct(AwsKey $key = null, $region)
     {
         $this->region = $region;
         $this->key = $key;
@@ -224,10 +226,13 @@ protected function client()
     protected function initializeClient()
     {
         $params = array(
-            'region'  => $this->region,
-            'credentials' => $this->key->getCredentials(),
+            'region'  => $this->region
         );
 
+        if ($this->key instanceof AwsKey) {
+            $params['credentials'] = $this->key->getCredentials();
+        }
+
         $config = Config::module('aws');
         if ($proxy = $config->get('network', 'proxy')) {
             $params['request.options'] = array(

diff --git a/library/Aws/AwsKey.php b/library/Aws/AwsKey.php
@@ -59,7 +59,8 @@ public static function listNames()
     public static function enumKeyNames()
     {
         $names = static::listNames();
-        return array_combine($names, $names);
+        $labels = array_map(function ($name) { return $name . ' (Key)'; }, $names);
+        return array_combine($names, $labels);
     }
 
     protected static function config()

diff --git a/library/Aws/ProvidedHook/Director/ImportSource.php b/library/Aws/ProvidedHook/Director/ImportSource.php
@@ -14,10 +14,14 @@ class ImportSource extends ImportSourceHook
 
     public function fetchData()
     {
-        $client = new AwsClient(
-            AwsKey::loadByName($this->getSetting('aws_access_key')),
-            $this->getSetting('aws_region')
-        );
+        $keyName = $this->getSetting('aws_access_key');
+        $key = null;
+
+        if ($keyName) {
+            $key = AwsKey::loadByName($keyName);
+        }
+
+        $client = new AwsClient($key, $this->getSetting('aws_region'));
 
         switch ($this->getObjectType()) {
             case 'asg':
@@ -124,13 +128,15 @@ public static function addSettingsFormFields(QuickForm $form)
         ));
 
         $form->addElement('select', 'aws_access_key', array(
-            'label'        => 'AWS access key',
-            'required'     => true,
+            'label'        => 'AWS access method',
+            'required'     => false,
             'description'  => $form->translate(
-                'Your AWS key, this shows all keys from your keys.ini. Please'
-                . ' check the documentation in case this list is empty'
+                'Use IAM role credential or select your AWS key. This shows all keys from your keys.ini.'
+                . ' Please check the documentation if you miss the keys in the list.'
             ),
-            'multiOptions' => $form->optionalEnum(AwsKey::enumKeyNames()),
+            'multiOptions' => $form->optionalEnum(AwsKey::enumKeyNames(), $form->translate(
+                'IAM role credentials'
+            )),
             'class'        => 'autosubmit',
         ));