By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

How to mount EFS on ECS with IAM username of who started EC2 instance ?

0

Hi, I'm trying to automate the mounting of EFS at EC2 instance start time (via user-data script or some other way) but would like to ensure that it's not mounted as ec2-user but rather the IAM username of whoever created the EC2 instance.

So if IAM username of user creating instance is 'bob'; how can I pass 'bob' in via the user-data script (or pick it up on the instance itself ) so that I can then script and execute something like ....

$ sudo useradd bob
$ cd /home/bob
$ sudo mkdir efs-mount-point
$ sudo chown bob:bob efs-mount-point
$ sudo mount -t efs -o tls,iam  <fs-id> /home/bob/efs-mount-point/

at instance first boot (ie via user-data script)....

then bob can ssh in via his key and he straight away has EFS mounted under an already created home folder named 'bob'.

Hope that makes sense and any help / tips greatly appreciated.

Tks Alex

Topics
StorageSecurity, Identity, & ComplianceCompute
Tags
Amazon Elastic File SystemAWS Identity and Access ManagementAmazon EC2
Language
English
AWS-User-8472164
asked 2 years ago403 views
1 Answer
0

You could get the original username and then in the Userdata create a file somewhere that contains that detail for "later" use - alternately, have the Userdata create the mount script above.

Another method would be to put the username into a tag for the instance - noting that tags are now available via the instance metadata service which is quite handy.

However, I think your question is actually "how can I get the username of the IAM user who is launching the instance". That's a little trickier. If you're launching in the console, there's no automatic way of doing that - the user would have to create the Userdata or tag appropriately.

If you're launching via some sort of automation (say, a script) then it should be somewhat easier to determine the username. For example, using the AWS CLI you can do aws iam get-user.

If you're launching via CloudFormation then you'd need to have a custom resource.

profile pictureAWS
EXPERT
Brettski-AWS
answered 2 years ago
  • AWS-User-8472164
    2 years ago

    Many tks for the comments. Yes I'm launching via scripts (Terraform to be precise), however I don't have AWS CLI on the (mac) from which I'm executing the Terraform script; and the Terraform 'aws_iam_user' Data Source requires a username to be supplied (which seemingly can't be determined from my aws credentials file). Your answer made me think I could user 'aws iam get-user' within the UserData but of course, aws credentials will not have been setup at instance launch time (there will only be my key in authorised_key file). (I don't really want to pass in credentials via Terraform either).Hmm

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content