Can clouddriver use an instance profile to talk to aws?


#1

Suppose I have a localdebian environment on an ec2 instance. If I attach a role through an instance profile to the instance, then anything in the instance can auth with the aws api easily.

I’d like to configure halyard to deploy clouddriver in localdebian so that clouddriver will talk to aws through the instance profile. If front50 has to talk to s3, this would also be a good way for that to happen.

I tried passing an empty role:

hal config provider aws account add <redacted> --account-id <redacted> --assume-role ""

But I’m getting (in the cloudriver logs):

Factory method 'synchronizeAwsProvider' threw exception; nested exception is com.amazonaws.services.securitytoken.model.AWSSecurityTokenServiceException: Access denied (Service: AWSSecurityTokenService; Status Code: 403; Error Code: AccessDenied; ...)

#2

It looks like putting in nothing should use the default aws provider chain, which should respect the instance profile.

Looking at the hal config provider aws account add ACCOUNT reference
I don’t see anything about instance profiles, though.

I think it’s just not possible to use an instance profile right now?