Shopify · rberger · Oct 31, 2014 · Nov 2, 2014
diff --git a/README.md b/README.md
@@ -79,8 +79,30 @@ Create a 10GB volume with 1000 provisioned iops, format it with XFS, and mount i
 
 `mount_options` are optional and will default to `noatime,nobootwait` on all platforms except Amazon linux, where they will default to `noatime`.
 
+> Note: The letter suffix for the `/dev/sd<letter>` / `/dev/xvd<letter>` is automatically generated starting at `f` or after any existing ids.
+
 ## Credentials
 
+### IAM Role Supplied Credentials
+
+You can use the IAM Role supplied Credentials by setting the `ebs[:creds][:iam_role]` to true and to be safe `ebs[:creds][:encrypted]` to false:
+
+```ruby
+{
+  :ebs => {
+    :creds => {
+      :iam_role => true
+      :encrypted => false
+    }
+  }
+}
+```
+
+Of course you must have set up the proper IAM Role as describe in the [Opscode AWS Cookbook](https://github.com/opscode-cookbooks/aws#using-iam-instance-role)
+and the AWS Document [IAM Roles for Amazon EC2](http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-roles-for-amazon-ec2.html)
+
+### Explicit Credentials from Databag
+
 Expects a `credentials` databag with an `aws` item that contains `aws_access_key_id` and `aws_secret_access_key`.
 
 You can override the databag and item names with `node[:ebs][:creds][:databag]`, and `node[:ebs][:creds][:item]`, but the key names are static.

diff --git a/attributes/default.rb b/attributes/default.rb
@@ -3,6 +3,7 @@
 default[:ebs][:creds][:aki] = "aws_access_key_id"
 default[:ebs][:creds][:sak] = "aws_secret_access_key"
 default[:ebs][:creds][:encrypted] = true
+default[:ebs][:creds][:iam_role] = false
 default[:ebs][:volumes] = {}
 default[:ebs][:raids] = {}
 default[:ebs][:mdadm_chunk_size] = '256'

diff --git a/recipes/persistent.rb b/recipes/persistent.rb
@@ -5,8 +5,12 @@
                  1) if ! node['ebs']['raids'].find{|k0,v0| k0 == 'persistent_volumes'}.nil?
 
 include_recipe "aws"
-# get aws credentials
-aws = data_bag_item(node['ebs']['creds']['databag'], node['ebs']['creds']['item'])
+unless node[:ebs][:creds][:iam_role]
+  # get aws credentials
+  aws = data_bag_item(node['ebs']['creds']['databag'], node['ebs']['creds']['item'])
+else
+  aws = nil
+end
 
 devices = Dir.glob('/dev/xvd*')
 if devices.empty?
@@ -29,8 +33,8 @@
         next_mount.succ!
         Chef::Log.info("Attaching #{thisvol} to #{mount}")
         aws_ebs_volume mount do
-          aws_access_key aws['aws_access_key_id']
-          aws_secret_access_key aws['aws_secret_access_key']
+          aws_access_key aws['aws_access_key_id'] if aws
+          aws_secret_access_key aws['aws_secret_access_key'] if aws
           device mount
           volume_id thisvol
           action :nothing

diff --git a/recipes/raids.rb b/recipes/raids.rb
@@ -8,10 +8,14 @@
   ignore_failure true
 end
 
-if node[:ebs][:creds][:encrypted]
-  credentials = Chef::EncryptedDataBagItem.load(node[:ebs][:creds][:databag], node[:ebs][:creds][:item])
+unless node[:ebs][:creds][:iam_role]
+  if node[:ebs][:creds][:encrypted]
+    credentials = Chef::EncryptedDataBagItem.load(node[:ebs][:creds][:databag], node[:ebs][:creds][:item])
+  else
+    credentials = data_bag_item node[:ebs][:creds][:databag], node[:ebs][:creds][:item]
+  end
 else
-  credentials = data_bag_item node[:ebs][:creds][:databag], node[:ebs][:creds][:item]
+  credentials = nil
 end
 
 node[:ebs][:raids].each do |device, options|
@@ -28,8 +32,8 @@
       next_mount = next_mount.succ
 
       aws_ebs_volume mount do
-        aws_access_key credentials[node.ebs.creds.aki]
-        aws_secret_access_key credentials[node.ebs.creds.sak]
+        aws_access_key credentials[node.ebs.creds.aki] if credentials
+        aws_secret_access_key credentials[node.ebs.creds.sak] if credentials
         size options[:disk_size]
         device mount
         availability_zone node[:ec2][:placement_availability_zone]

diff --git a/recipes/volumes.rb b/recipes/volumes.rb
@@ -5,20 +5,26 @@
 
   # create ebs volume
   if !options[:device] && options[:size]
-    if node[:ebs][:creds][:encrypted]
-      credentials = Chef::EncryptedDataBagItem.load(node[:ebs][:creds][:databag], node[:ebs][:creds][:item])
+    unless node[:ebs][:creds][:iam_role]
+      if node[:ebs][:creds][:encrypted]
+        credentials = Chef::EncryptedDataBagItem.load(node[:ebs][:creds][:databag], node[:ebs][:creds][:item])
+      else
+        credentials = data_bag_item node[:ebs][:creds][:databag], node[:ebs][:creds][:item]
+      end
     else
-      credentials = data_bag_item node[:ebs][:creds][:databag], node[:ebs][:creds][:item]
+      credentials = nil
     end
 
     devices = Dir.glob('/dev/xvd?')
     devices = ['/dev/xvdf'] if devices.empty?
     devid = devices.sort.last[-1,1].succ
+    # Should not use b - e as they are reserved for ephemeral disks
+    devid = "f" if devid < "f"
     device = "/dev/sd#{devid}"
 
     vol = aws_ebs_volume device do
-      aws_access_key credentials[node.ebs.creds.aki]
-      aws_secret_access_key credentials[node.ebs.creds.sak]
+      aws_access_key credentials[node.ebs.creds.aki] if credentials
+      aws_secret_access_key credentials[node.ebs.creds.sak] if credentials
       size options[:size]
       device device
       availability_zone node[:ec2][:placement_availability_zone]