I need to provide access to manage production cluster from our CI tools. Access should not be granted via AWS key-pair that was used to create swarm using cloud formation template provided by Docker for AWS.
When boxes are setup the only way to access those is via SSH using main key-pair. Docker socket is not opened, no other users have access to the system. As nodes are part of auto-scaling groups any change done directly on those nodes will not be available when instances are bumped by AWS scaling. As far as I understand we should not tinker around with AMIs (create own with those users added)
The only solution I can see right now is to modify userdata in launch configurations assigned to auto-scaling groups and add some user-initializing code there. But maybe I am missing some other, better solution. Any recommendations?