It seems really insecure to store permanent IAM access credentials (key, secret) on the instance or any other place.
The way I understood roles - it would make sense if I could manage permissions to perform certain tasks using roles:
- setup the role,setup user group with permission to assume that role, add users to that group
- from command line type something like "ec2_assume_role rolename time_till_expiration"
- then at the prompt enter my username and pwd
- get those temporary keys (could script to set them directly into the env)
From what I found in IAM documentation - assuming role requires a set of keys - so is not really meant for a human. I could setup a server that enables something similar to the above but that server would have to have its own key stored or at least in memory, plus I would have to duplicate username / pwd management that IAM already does pretty well.
Am I missing/misunderstanding something ?
Thank you