That was what I wanted to know, too. Ever since IAM launched, I've been wanting to authenticate ssh against it. Sadly, the docs all seem to specifically say EC2 instances running windows.
I'm not able to spin up an instance to test with this week .. but if my linux hosts -inside- my network can auth to my corporate AD (and they can!) I don't know why an AWS EC2 instance would be different.
Amazon is systematically adding service upon service to their offering. I'll be interested to see where this ends up once they're all tightly integrated and working together.
Well, when we looked at moving stuff to the 'cloud', Amazon offers so so much. In effect Amazon can provide a vendor lock-in through the range of services (and their quality) it provides. That is in no way a bad thing, but just shows how other 'cloud' providers need to keep playing catch-up.
It's also an architecture consideration for the way we develop. Yes you want to use this Amazon feature, but if you do, moving to another provider becomes harder (e.g. we're looking to use SQS, but know if we moved provider I'd need to implement my own solution for that, probably mq rabbit).
To rehash a classic phrase: "Nobody ever got fired for buying Amazon."
Anyone think a remote directory service would work well if a lot of your infrastructure is hosted elsewhere? I wonder if latency would become an issue.
Also, how hard is it to set up/care/feed a basic directory service? I've toyed with FreeIPA which was easy (http://www.freeipa.org/page/Main_Page, based on 389 DS). I actually did not realize Samba now includes a directory service and might check that out.
> Also, how hard is it to set up/care/feed a basic directory service?
Setting one up is pretty easy. The problem comes in when you find yourself depending on it, and then it gets out of whack, or Just Grows and you've got OUs and CNs all over the place.
At my last employer - a mid-sized manufacturer - we had several Tier II apps. These must be in working order or production is shut down. The shop floor application. Core ERP. Email. Above II is I which are applications that must exist or the company cannot operate.
There was only one Tier I application: Active Directory.
I burned a couple of weeks trying to setup a replicated freeipa environment. I was amazed that I could start with a brand new instance, run the same script and end up with different problems every time.
I can't say for certain, but I'd think a lot of this is actually built on top of OpenLDAP, with Samba just providing the compatibility layer for Windows clients.
Since a big AWS selling point is headcount savings from outsourcing systems expertise, you would ideally be hiring an infrastructure engineer to implement the RabbitMQ, or at least to smooth the way.
"Lock-in through the range of services" is key. You can go all-in on AWS and use RDS, Directory Service, EMR and still be able to move off AWS and use the open source systems beneath. Granted, there are services like S3 that are proprietary but on the other hand you can move to something Riak CS that provides API compatibility with S3.
Well, a lot of concept we expect from a computer OS apply to distributed system. AWS, in a few years, might end up to look like less a IaaS and more as a PaaS platform, a Linux distrib for cluster if you wish.
That is you could treat AWS/any cloud as a distributed OS for clusters with VM/containers as processes/threads and services as packages.
It's more or less already roughly the case. Well, IMHO, it's the maturation path for the cloud I can imagine.
It's nice to see bridges being made to corporate. AWS allowing AD auth or Chrome supporting security policies. We might dislike a lot of these technologies but if ever we're to replace them it won't be by a rip and replace, but rather a slow migration.
I didn't see any reference to it in the documentation, but I wonder if they'll provide an HTTP API for authenticating against these directories (or providing delegated auth services when connected to an on-premise AD instance).
It's looking to me like you add users either through their "Simple AD" exporter, or you have to use "Active Directory Administration Tools"... there's no way to add my users etc. directly into their directory? http://docs.aws.amazon.com/directoryservice/latest/adminguid...
I can't tell if you are joking about the fact that Microsoft had support for their proprietary solution, Active Directory, in their cloud before Amazon...
This article does not mention handling directory services between short lived EC2 instances and SQL Server. Right now the guidance is to use SQL Server Auth; but Windows Auth would be far better to use, especially in these circumstances.
The question I have is can I use this as a central auth system the other way. AD is expensive as crap, but if this is self-healing and self-backup, then its a good idea for us. Frankly anything is better than Open directory
Primarily to manage Windows accounts on Windows EC2 instances. Google Apps authentication covers websites via OAuth and OpenID, but not local user accounts on systems like Windows, Linux, and OS X.
