warwickp.com
Warwick Poole interwebs
Using multiple EC2 accounts with the EC2 API tools
View Comments
Jan 04 2010 (amazon-ec2)
Various projects I am involved with each have their own Amazon EC2 accounts. This means I have a few sets of certificates/keys to access and manage these different instances. My previous solution was a different user account on my Macbook Pro for each project. That is not very elegant at all. This is my new solution, which involves a set of dynamic bash aliases and a script to create them.
To start, create a directory structure like this (preferably in a Git or SVN repo)
base/ accounts/
Then in accounts/, create a subdirectory for each project/client/ec2 account, and add 3 things to each subdirectory: the EC2 X.509 certificate, the EC2 private key and a single SSH private key to use for SSH access. So end up with a directory structure something like this, separated by client/project/account:
base/ accounts/project1/cert-TYTYTHJHDJHDJHDJHDJH.pem accounts/project1/pk-DNKJNFKDJNFFKJNDFKNSDFJ.pem accounts/project1/id_dsa_project1 accounts/client55/cert-SASDASDASDASDASDASD.pem accounts/client55/pk-UYWYWUYWUYNNSNSNS.pem accounts/client55/mykey_client55 accounts/myappx/cert-XCMLKMLKMLKMLKM.pem accounts/myappx/pk-CCJKJDKPOPOPOPPOP.pem accounts/myappx/awskey_appx
Now we’ll download the latest EC2 API tools and expand them into base/, so we will have a directory structure like this:
base/THIRDPARTYLICENSE.TXT base/bin/ec2-add-group base/bin/ec2-add-group.cmd base/bin/ec2-add-keypair base/bin/ec2-add-keypair.cmd -- ETC -- OMITTING THE REST OF bin/ base/lib/activation-1.1.jar base/lib/bcprov.jar -- ETC -- OMITTING THE REST OF lib/ base/license.txt base/notice.txt accounts/project1/cert-TYTYTHJHDJHDJHDJHDJH.pem accounts/project1/pk-DNKJNFKDJNFFKJNDFKNSDFJ.pem accounts/project1/id_dsa_project1 -- ETC -- OMITTING THE REST OF accounts/
Now, we will use a simple bash script to generate a bash alias for each EC2 operation for each EC2 account we have. It essentially maps each EC2 command to the appropriate key and cert for each of our projects/clients.
NOTE: This version sets up some environment variables which are specific to a Mac OS X > Leopard environment. Yours may need different JAVA_HOME, if you are on a different OS, etc.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 | #!/bin/bash export JAVA_HOME=/System/Library/Frameworks/JavaVM.framework/Home/ export EC2_TOP=$( dirname $BASH_SOURCE ) export EC2_HOME=$EC2_TOP/base ALL_ACCOUNTS=$( ls $EC2_TOP/accounts ) EC2_TOOLS=$( ls $EC2_HOME/bin | grep -v .cmd ) THIS_KEY='' THIS_CERT='' for a in $ALL_ACCOUNTS; do THIS_KEY=$( ls $EC2_TOP/accounts/$a/pk-*.pem ) THIS_CERT=$( ls $EC2_TOP/accounts/$a/cert-*.pem ) THIS_SSH=$( ls $EC2_TOP/accounts/$a/* | grep -v .pem ) alias ssh-ec2-$a="ssh -i $THIS_SSH" for e in $EC2_TOOLS; do alias ec2-$a-$e="$EC2_HOME/bin/$e -K $THIS_KEY -C $THIS_CERT" done THIS_KEY='' THIS_CERT='' done |
This base script (I’ve called mine setup_env.sh) needs to live at the top level, so again, we have a structure like this:
base/ accounts/ setup_env.sh
Now, simply source setup_env.sh as part of your login procedure, by putting something like this in .bash_profile:
NOTE: My top level directory lives at ~/Tools/Amazon
source ~/Tools/Amazon/setup_env.sh
Now, when I login, I can create an instance on the correct EC2 account with something like:
ec2-project1-ec2run <options>
And I can SSH to a running EC2 instance with something like:
ssh-ec2-project1 root@myinstance.address.comSimple, possibly inelegant, but very functional. Do you have anything which works better than this? Please share..