Using multiple EC2 accounts with the EC2 API tools

View Comments

Jan 04 2010 (amazon-ec2)

Various projects I am involved with each have their own Amazon EC2 accounts. This means I have a few sets of certificates/keys to access and manage these different instances. My previous solution was a different user account on my Macbook Pro for each project. That is not very elegant at all. This is my new solution, which involves a set of dynamic bash aliases and a script to create them.

To start, create a directory structure like this (preferably in a Git or SVN repo)

base/
accounts/

Then in accounts/, create a subdirectory for each project/client/ec2 account, and add 3 things to each subdirectory: the EC2 X.509 certificate, the EC2 private key and a single SSH private key to use for SSH access. So end up with a directory structure something like this, separated by client/project/account:

base/
accounts/project1/cert-TYTYTHJHDJHDJHDJHDJH.pem
accounts/project1/pk-DNKJNFKDJNFFKJNDFKNSDFJ.pem
accounts/project1/id_dsa_project1
accounts/client55/cert-SASDASDASDASDASDASD.pem
accounts/client55/pk-UYWYWUYWUYNNSNSNS.pem
accounts/client55/mykey_client55
accounts/myappx/cert-XCMLKMLKMLKMLKM.pem
accounts/myappx/pk-CCJKJDKPOPOPOPPOP.pem
accounts/myappx/awskey_appx

Now we’ll download the latest EC2 API tools and expand them into base/, so we will have a directory structure like this:

base/THIRDPARTYLICENSE.TXT
base/bin/ec2-add-group
base/bin/ec2-add-group.cmd
base/bin/ec2-add-keypair
base/bin/ec2-add-keypair.cmd
-- ETC -- OMITTING THE REST OF bin/
base/lib/activation-1.1.jar
base/lib/bcprov.jar
-- ETC -- OMITTING THE REST OF lib/
base/license.txt
base/notice.txt
accounts/project1/cert-TYTYTHJHDJHDJHDJHDJH.pem
accounts/project1/pk-DNKJNFKDJNFFKJNDFKNSDFJ.pem
accounts/project1/id_dsa_project1
-- ETC -- OMITTING THE REST OF accounts/

Now, we will use a simple bash script to generate a bash alias for each EC2 operation for each EC2 account we have. It essentially maps each EC2 command to the appropriate key and cert for each of our projects/clients.

NOTE: This version sets up some environment variables which are specific to a Mac OS X > Leopard environment. Yours may need different JAVA_HOME, if you are on a different OS, etc.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26

#!/bin/bash
export JAVA_HOME=/System/Library/Frameworks/JavaVM.framework/Home/
export EC2_TOP=$( dirname $BASH_SOURCE )
export EC2_HOME=$EC2_TOP/base
 
ALL_ACCOUNTS=$( ls $EC2_TOP/accounts )
EC2_TOOLS=$( ls $EC2_HOME/bin | grep -v .cmd )
 
THIS_KEY=''
THIS_CERT=''
 
for a in $ALL_ACCOUNTS; do
        THIS_KEY=$( ls $EC2_TOP/accounts/$a/pk-*.pem )
        THIS_CERT=$( ls $EC2_TOP/accounts/$a/cert-*.pem )
        THIS_SSH=$( ls $EC2_TOP/accounts/$a/* | grep -v .pem )
 
        alias ssh-ec2-$a="ssh -i $THIS_SSH"
 
        for e in $EC2_TOOLS; do
                alias ec2-$a-$e="$EC2_HOME/bin/$e -K $THIS_KEY -C $THIS_CERT"
        done
 
        THIS_KEY=''
        THIS_CERT=''
 
done

This base script (I’ve called mine setup_env.sh) needs to live at the top level, so again, we have a structure like this:

base/
accounts/
setup_env.sh

Now, simply source setup_env.sh as part of your login procedure, by putting something like this in .bash_profile:

NOTE: My top level directory lives at ~/Tools/Amazon

source ~/Tools/Amazon/setup_env.sh

Now, when I login, I can create an instance on the correct EC2 account with something like:

ec2-project1-ec2run <options>

And I can SSH to a running EC2 instance with something like:

ssh-ec2-project1 root@myinstance.address.com

Simple, possibly inelegant, but very functional. Do you have anything which works better than this? Please share..

This website uses IntenseDebate comments, but they are not currently loaded because either your browser doesn't support JavaScript, or they didn't load fast enough.

blog comments powered by Disqus