it'd be great if we didn't need to provide access key's in the config, and instead utilise amazons ec2 instance profile - http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-roles-for-amazon-ec2.html

+1

+1

I see what you mean, but at the moment I'm running this script on 1 server outside AWS for many different customers, each customer has it's own config. Also the developement of the script has been put on hold for a while because we made a newer version with a GUI and also multiple schedules, rententions and authorizations. This is a product of Oblivion Cloud Control (http://oblcc.com)
But I will make some small updates to this script in the near future.

I agree - this would be a really good feature to have for security.

Has anyone tried using assume-role and snapshoting multiple aws accounts using this method? I noticed the config.py mentions, "(alternatively can be set up as environment variables)", but how do I set it up as environment variables? I tried assume-role, parsing out the information then assigning to $aws_access_key and $aws_secret_key, but it ran the snapshot in the aws environment where the aws-snapshot-tool is installed.

I have the trust setup between the two aws accounts. I want run across multiple aws accounts so I don't have to run a single instance in each aws account just for backups and it wouldn't be helpful to setup the aws-snapshot-tool on a different server in each environment.

For me, the solution was to change the config to

'aws_access_key': False,
'aws_secret_key': False,

and upgrade Boto to at least version 2.5.1 (pip install -U boto==2.5.1).

What will happen is that Boto will automatically find your IAM instance profile and use it for authentication. No credentials needed!