Hacker News new | comments | show | ask | jobs | submit login

how do you avoid 1 - it seems impossible ?

Take a look at hashicorp vault - https://hashicorp.com/blog/vault.html

IAM roles let you assign temporary credentials to machines running scripts. The machine can then hit an internal AWS URL to get the temporary credentials. Many tools know to look for these credentials by default- eg boto checks for credentials in environment variables, config files, and the machines IAM role.

And there's a few tools to emulate the metadata service locally if you need it on dev laptops which makes it use a role as if a server

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact