I've got a website running on a lightsail instance. It was initially manually configured and it works, but now I would like to fully automate its creation.
So far, I've been able to do it using boto3/python + ansible, except for one problem: The lightsail instance needs permissions so that the certbot application can work with route53 and get TLS certs.
When I did it manually, I created an IAM user (with exactly the right permissions) and then put the access keys for that user in the filesystem of the lightsail instance. That works. But looking at the documentation, I see that we're discouraged from putting keys into instance filesystems. It is considered bad practice.
Looking around the endless docs, it appears that modern way to give permissions to an instance is to make it assume a role. I see there's information for how to do that for an EC2 instance. But what about a lightsail instance?
Looking that the doc I just linked to there's policy that seems very close to what I need, since my user can launch a lightsail instance, I think I just need to make it so the user passes a particular role to the instance upon launch. Like this...
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "iam:PassRole",
"Resource": "arn:aws:iam::my-account-id:role/my-policy-for-certbot"
}
]
}
Where...
Is this even on the right track? Do I got an X/Y problem? So far it's not working.
Moreover, the permission set I created in IAM_IC expires (as do all permission sets in IAM_IC, right?). That's fine for creating the lightsail instance to allow certbot to get the initial TLS certs. But every few weeks it will need to renew the TLS cert. What then? Doesn't certbot need Route53 permissions again? Or is it the case that the role automatically gets re-assumed when certbot runs every few weeks?
It is starting to look like the only way to do this is to permanently put some IAM user credentials into the filesystem. Is that the case? But AWS docs specifically say that's not a good practice. What would you do?
Amazon Lightsail servers use the Amazon EC2 infrastructure behind the scenes and they are generally considered as the stripped-down version of EC2 instances. A lot of EC2 features are not supported in Lightsail, such as attaching an IAM role (specifically the service role). Best practices for EC2 should be applied to Lightsail if possible. So to answer your question, yes, permanent access keys is your only sounded way to achieve what you want. Although this is not the best practice for EC2, this is the best practice for Lightsail. If you wanna upgrade the security of the server, you can always upgrade to EC2. Hope this helps.