diff options
Diffstat (limited to 'doc/eclat.1man')
-rw-r--r-- | doc/eclat.1man | 68 |
1 files changed, 48 insertions, 20 deletions
diff --git a/doc/eclat.1man b/doc/eclat.1man index 9560e81..5030d7f 100644 --- a/doc/eclat.1man +++ b/doc/eclat.1man @@ -13,7 +13,7 @@ .\" .\" You should have received a copy of the GNU General Public License .\" along with Eclat. If not, see <http://www.gnu.org/licenses/>. -.TH ECLAT 1 "January 19, 2015" "ECLAT" "Eclat User Reference" +.TH ECLAT 1 "January 20, 2015" "ECLAT" "Eclat User Reference" .SH NAME eclat \- EC2 Command Line Administrator Tool .SH SYNOPSIS @@ -119,12 +119,32 @@ separated by dots. .SH AUTHENTICATION Requests are authenticated using a pair of strings: access key and secret key. Their function is similar to that of username/password in -traditional authentication schemes. Both keys can be specified in the -command line, but such usage is insecure as the arguments can easily +traditional authentication schemes. These values are obtained from +.IR authentication provider . +There are three types of authentication providers: +.IR immediate , +.IR file , +and +.IR instance\-store . +.SS Immediate Provider +Both keys are specified in the command line, using +.BR \-O " (" \-\-access\-key ) +and +.BR \-W " (" \-\-secret\-key ) +options. This usage is insecure as the arguments can easily be seen by other users (e.g. in the .BR ps (1) -output). The preferred way is to store them in a file protected by -appropriate permissions. Each line in such a file (named for short +output). +.SS File Provider +The \Ifile\fR provider is requested by the following statement in +the configuration file: +.PP +.EX +authentication\-provider file \fIFILENAME\fR; +.EE +.PP +The credentials are stored them in a file protected by appropriate +permissions. Each line in such a file (named for short \fBaccess\-file\fR) lists access key and the corresponding secret key, separated by a colon. Empty lines are ignored, as well as lines starting with a \fB#\fR sign, except as immediately followed by a @@ -133,24 +153,32 @@ can be used to identify this line. The tag consists of all the characters following the \fB#:\fR marker up to the first whitespace character (newline being counted as a white space). .PP -The access file is set up using the \fBaccess\-file\fR configuration -file statement. The argument to this statement is treated as a shell -globbing pattern: all files matching this pattern are attempted in -turn, until a keypair is identified, using the algorithm described -below. If an access file cannot be opened due to insufficient -privileges, no error message is issued (unless the debugging level -\fBmain.1\fR or higher is requested). This allows you to have different -access files for use by different groups of users. -.PP -If the \fB\-\-access\-key\fR option is used, its argument is the -access key or tag to look for in the access file. Otherwise, +The \fIFILENAME\fR argument is treated as a shell globbing pattern: +all files matching this pattern are attempted in turn, until a keypair +is identified, using the algorithm described below. If an access file +cannot be opened due to insufficient privileges, no error message is +issued (unless the debugging level \fBmain.1\fR or higher is +requested). This allows you to have different access files for use by +different groups of users. +.PP +If the \fB\-O\fR (\fB\-\-access\-key\fR) option is used, its argument +is the access key or tag to look for in the access file. Otherwise, .B eclat selects the first available key pair. +.SS Instance\-store Provider +The program tries to obtain credentials from the instance store, using +the preconfigured IAM role name. +.PP +This provider type is configured by the following configuration statement: +.PP +.EX +authentication\-provider instance\-store \fIROLE\fR; +.EE +.PP +where \fIROLE\fR is the name of a IAM role. .PP -If the access key is not found in the access file, it is assumed to be -a name of the \IIAM\fR role. The program then tries to obtain -credentials from the instance store. This attempt will succeed only -if \fBeclat\fR is run on an EC2 instance which is assigned a role upon +This provider is recommended for use when you run \fBeclat\fR on an +EC2 instance which is assigned a role upon its creation (see .BR http://docs.aws.amazon.com/IAM/latest/UserGuide/roles-usingrole-ec2instance.html ) .SH MAPS |