PMM and IAM Roles

I started to use Percona Monitoring and Management (PMM) recently because it seems promising, and my friends from Percona always recommending it to try out, and frankly, at first sight, I like it.

There are few things which I am not happy about, but mostly I feel OK – but when it comes to the price/value evaluation it becomes better – it is free.

However I found a really disturbing problem, what is bugging me – it needs AWS credentials to discover hosts on RDS. Let me show you.

meh

In AWS, it is generally a good idea not to use access keys, but to create IAM roles, and assign those roles to resources, which means you don’t have to worry about keeping the secret keys in safe place, but you can directly say, ‘this host can do this and that‘. For example, I have a DB management node, which is an EC2 instance in the same subnet as my database hosts, so if I want to reach those machines, I open a VPN connection to our VPC, ssh to the DB management host, and I can do whatever I have to do. I can dump data there, I can get access to the databases with mysqlcli, I can run awscli commands on the database clusters of ours, etcetera. And needless to say, I don’t have to give any secret key of any users there, because the host is associated with an IAM role called ‘rds-management’, and that role has every right which I need.

Actually, the entire setup process would be way better if the instance would support this, because then at the first moment, the user wouldn’t have to provide the instance id, because it would be able to query by itself as


    import boto.utils
    meta = boto.utils.get_instance_metadata()
    id = meta['instance-id']
  

And frankly, the best thing about this that nobody has to do anything, just to skip the window when the user has to insert the AWS Credentials in “_PMM Add Instance” page. (And OK, maybe to query the instance ID in the beginning of the app setup.)