There are several security mechanisms associated with Amazon Web Services (AWS) and EC2:
- Your password, along with your email address, which you use to access the AWS portal, where you can (amongst other things) generate and deactivate all the credentials mentioned below.
- The AWS Access Key ID and Secret Access Key that are used by the Bamboo server to authenticate with AWS.
- A login key pair that you can use to log in to EC2 instances that have been started by Bamboo. The key pair is automatically generated, either the first time you use Elastic Bamboo, or if you delete the key pair. The key pair is listed as 'elasticbamboo' in your AWS console. Bamboo does not use this key pair.
- The AWS private key file and certificate file that are generated by Amazon and used together to allow Elastic Bamboo to securely access some of the AWS services, such as EBS for elastic instances and the Amazon command line tools. These are described below.
AWS private key file and certificate file
The Amazon Web Services (AWS) private key file and certificate file are generated by Amazon and work together to allow Elastic Bamboo to securely access your AWS account. These are required to enable certain features, such as EBS for elastic instances and the Amazon command line tools.
- The certificate file contains the public key associated with your AWS account. This file is kept by Amazon, (not on your Bamboo server).
- The private key file contains the private key that is used to authenticate requests to AWS. This file must be stored on your Bamboo server, if you are using EBS for elastic instances or the Amazon command line tools.
- The public key and private key from these files together form an X.509 certificate.
Generating the files
The certificate file will be kept by Amazon (to inject into your elastic instances) and the private key file will be downloaded to your Bamboo server in your Bamboo Home directory. If you are setting up Elastic Bamboo on multiple Bamboo servers using the same AWS account, you can simply copy the private key file across from the original Bamboo server. You should not need to regenerate the private key file and certificate file unless your private key file is lost or corrupted.
If you do need to regenerate the private key file and certificate file, please follow the instructions in the Amazon X.509 Certificates documentation. The Amazon documentation also contains instructions on using your own certificate, if you wish.
Downloading the files
Once the files are generated, you will be able to download them (see screenshot below). We recommend that you store the files in the Home directory of your Bamboo server.
Screenshot: Downloading the generated AWS private key file and certificate file
Notes
- If you wish to use this security mechanism with multiple Bamboo installations using the same AWS account (e.g. you have configured your elastic instances on each installation to use EBS), you will need to copy the AWS private key file and certificate file to each Bamboo server.
- You can only download the AWS private key file at the time it is generated. If the private key file has already been generated for your AWS account, you will not be able to download it from AWS again (for security purposes). You will have to copy it from wherever it was previously downloaded to. Otherwise you will have to generate a new private key file and certificate file to go with it.
If you regenerate a new private key file and certificate file, any Bamboo servers using the old private key file and certificate file will no longer be able to access the Amazon EC2, as only one X.509 certificate can be associated with your AWS account. - You can download the AWS certificate file as many times as you want. This file does not need to be regenerated.