Creating S3 IAM roles for an EC2 Instance

·

2 min read

Challenge 005

As a cloud engineer you need to grant permissions to an EC2 instance to access an S3 bucket. EC2 instances, by default, do not have permission to access any S3 bucket. To allow an EC2 instance to access an S3 bucket, you need to configure the necessary permissions. You also need to query the S3 buckets from the EC2 instances and manipulate the S3 bucket.

Solution

The solution will be implemented through the use of AWS Console

  • You will login in into the console and head to the IAM tab

  • On the left panel click Roles

We are going to create a new role for the ec2 instance

  • Click Create Role

  • Choose AWS Service

  • for use case choose EC2

  • Click Next

In this step we are going to add permissions policies, you have the option to use the AWS provided ones or create a new policy based on your needs

  • As the instructions specified that we need to create a new policy that would specify a specific bucket, we will create a new policy

  • Select create Policy and use the json tab, I will specify the following according to my needs which are List, Read and Write. I will specify basic actions for the policy and specify the bucket arn as the resource

      { 
          "Version": "2012-10-17", 
          "Statement": [ 
              { 
                  "Sid": "VisualEditor0", 
                  "Effect": "Allow", 
                  "Action": [ 
                      "s3:PutObject", 
                      "s3:GetObject", 
                      "s3:ListBucket" 
                  ], 
                  "Resource": [ 
                      "arn:aws:s3:::cloudforcebucketnew",  
                      "arn:aws:s3:::cloudforcebucketnew/*" 
                  ] 
              } 
          ] 
      }
    
  • Click Next

  • Review and Create the policy and role

The new role will be created.

The next step would be to attach the role to your EC2 instance

  • Head over to your EC2 instance

  • Select the EC2 instance you would like to attach the role

  • In the actions tab, select security and click modify IAM role

  • Select the role you created using the name

  • click update IAM role

The IAM role is now attached to the EC2 instance

We can now access S3 through the EC2 instance

  • Connect to the instance

  • You can test it by listing all the S3 buckets

aws s3 ls s3://cloudforcebucketnew

You can also list all objects in the sub directory with

aws s3 ls s3://cloudforcebucketnew --recursive

And that's how you can create an IAM role for your EC2 instance to access S3 bucket