Using AWS Instance Profiles With Juju 2.9

The Juju team has been working on some exciting new features for the AWS provider in Juju 2.9 that we are ready to share with the community to get feedback. In the latest release of Juju (2.9.19) you can now use AWS Instance Profiles for controller machines.

This work is the start of a many more changes to come around how Juju manages and uses AWS credentials but one we are very excited to let people start testing for us.

So lets get started…

First if you are not familiar with Instance Profiles in AWS you can read more here. They are a means for attaching IAM Roles to AWS ec2 instances so that the software on that machine can interact with AWS API’s using the permissions afforded by the associated AWS role.

With this change we also get nicer properties for Juju around shorter lived credentials and better auditing of the AWS permissions being used.

To take these new features for a spin one of the following options need to be picked. You can let Juju do all the heavy lifting of creating instance profiles and permissions or you can do it manually and attach it to Juju at runtime.

Option one let Juju do the heavy lifting:

  1. Bootstrap Juju using the auto keyword for the instant role constraint
juju bootstrap --bootstrap-constraints="instance-role=auto" aws/ap-southeast-2

It’s as easy as that.

Option two bring your own Instance Profile.

  1. Firstly identify or create a new AWS role in your IAM section for use by the Juju controller. See the AWS documentation here for more information.
  2. Next we will create a new instance profile using the following aws command
aws iam create-instance-profile --instance-profile-name my-test-profile
  1. We now need to associate the role from step 1 with the profile create in step 2.
aws iam add-role-to-instance-profile --instance-profile-name my-test-profile --role-name <role_name>
  1. We can now bootstrap Juju to aws with the new profile using:
juju bootstrap --bootstrap-constraints="instance-role=my-test-profile" test-ip-controller

As you see Juju go through the Bootstrap stage one of the steps will be attaching the instance profile to the newly created controller machine.

To see a list of permissions that Juju requires when operating a controller please head over here to see an example AWS policy.

We also wish add a bootstrap check to make sure the instance profile being used has an AWS IAM role attached to it otherwise the bootstrap process may hang.

There is a lot of exciting potential for this new work and how Juju can leverage role’s and instance profiles in AWS. Please let us know what you think of this work and would like to see going forward.

Regards The Juju Team.


@tmihoc this might be a good addition to the AWS docs Juju | Amazon Web Services (AWS)

1 Like

Thanks, @hpidcock, will look into it!

1 Like

Have made this doc public for users to try out now that it has been released.

1 Like

This is awesome! Is there a known way to bootstrap using STS and temporary/limited-privilege credentials?


Hey @jamesbeedy

Not at the moment but this would be very neat. I’ll add it to our list of expansions to this work.

Ta tlm

1 Like