Using the authentication information set to an instance in Amazon EC2
This section gives a recommended example of authentication information settings when you want to use the authentication information set to an instance in Amazon EC2.
This example shows how to set the IAM role to "Enabled" in the default information for the Storage Authentication Information on the Cloud Storage DB to use IAM roles (instance profile authentication information) set on Amazon EC2 for authentication.
This function is supported by the following optional products:
-
HULFT8 Cloud Storage Option(Amazon S3) for Windows
-
HULFT8 Cloud Storage Option(Amazon S3) for Linux
The procedure to register the default information for the Storage Authentication Information is shown below.
|
✓ |
: |
Register the setting value |
|
- |
: |
Do not register the setting value |
If you want to use IAM roles (instance profile authentication information) set on Amazon EC2, do not specify values for the following environment variables:
-
AWS_ACCESS_KEY_ID
-
AWS_SECRET_ACCESS_KEY
If values are already set for those environment variables, delete the values.
If the above environment variables are set for downward compatibility, the authentication information set in those environment variables is prioritized.
This means the IAM roles (instance profile authentication information) set on Amazon EC2 are not used.
Register Enable IAM Role using the registration command of the default information for the Storage Authentication Information.
utls3infoadd -t auth --default --enable-iam-role
For details on the registration command of the default information for the Storage Management Information on Amazon S3, refer to Registration command of the Default Information for Storage Management Information (Amazon S3).
All the information specified by the registration command is overwritten in the default information.
For a field that is not specified with the option, the value "Use the default value." is set.
In this case, the value in the downward-compatible settings is used.
However, only in cases when you do not specify a Storage Authentication Information ID with the option, the value registered in the default information for the Storage Authentication Information is used instead of the downward-compatible settings.
The following list is output:
$ utls3infoadd -t auth --default --enable-iam-role The default information for Storage Authentication Information will be changed. Access Key: Use the default value. Secret Access Key: Use the default value. Session Token: Use the default value. Enable IAM Role: ON Switch Role ARN: Use the default value. External ID: Use the default value. Role Session Name: Use the default value.
Check whether the setting value for Enable IAM Role is changed to "ON".
If you do not specify "-f" or "--force" with the registration command of the default information for the Storage Management Information, the following confirmation message is output:
Are you sure to register? [y/n]:
After the confirmation message is output, input "y" or "Y" to execute the registration command of the default information for the Storage Management Information.
The registration of the default information to use IAM roles (instance profile authentication information) set on Amazon EC2 is completed.
To perform authentication using these settings, the IAM role you want to use must be configured for an Amazon EC2 instance.
For details on required permissions for setting the IAM role, refer to Settings for using Amazon S3.
For details on how to attach an IAM role to an Amazon EC2 instance, refer to the official website for AWS.
If you want to use different authentication information for certain transfers, refer to Registering the object storage authentication information for each transfer destination (bucket) and configure the following settings:
-
The settings of IAM user authentication information with individual settings for the authentication information
When AWS Access Key and AWS Secret Access Key for IAM user authentication are registered in the Storage Authentication Information with individual settings, if you set the enabling of the IAM role to "Enabled", the setting of "Authenticate IAM user" is prioritized.