An IAM role in AWS determines what an identity could do or couldn’t do with the set of permission policies. A role does not have any credentials such as password or keys associated with it. Instead, it uses a temporary credentials to allow an user to interact with AWS services. Role could be used for an IAM user in the same account as the role. It also bypass the use of AWS keys to interact with resources.
In this article we would discuss how to secure access to s3 service from linux EC2 using IAM role. The topic are as following
- Create an IAM role for EC2
- Assign an IAM role to EC2
- Access s3 service from EC2 application
Create an IAM role for EC2
1. Sign-in to AWS Console (link) and Open IAM Service
2. Click on Roles and then Create Role
3. Select Type of Trust Entity
Here we would select EC2 for this role. So that it would allows to interact with AWS services on your behalf
4. Attach a Policy to the Role
Here, search with s3 and select Amazons3ReadOnlyAccess
5. Add Tags (Optional)
6. Click on Review
Provide a role name to your role and then click on Create Role
Once you clicked on Create Role, the role would be created and you could find it in role dashboard
Assign an IAM role to EC2
Here, We already have an EC2 running without IAM role. We would attach the IAM role created in previous step with this existing EC2 Instance.
You could also Launch a new instance with IAM role like below. Refer (link) to know how to launch an EC2 in AWS
1. Go to AWS EC2 Console & Select the EC2 Instance
As you could see, the current EC2 does not have any IAM role assigned yet.
2. Click on Actions to select IAM Attach/Replace IAM Role
3. Select your IAM role from drop down and click on Apply
4. Verify the Role
Access s3 from EC2 application
In this section, we would enable a secure connection to s3 from EC2 using IAM role. As you know, we created the IAM role with permission Amazons3ReadAccessOnly which means the application running on EC2 would be allowed to have read only access on s3. No write operation would be allowed with this role. Lets demonstrate this
1. Login to your EC2 using root user
2. Access s3 from EC2
We already have python3 application running in the server. Now with this role attached we would try to retrieve an object content from s3 Bucket using a python program. Two use case for this role are following
Case 1- Verify s3 read only access from EC2
- Create a file cons3fromEC2Role.py using vi editor with below code snippet and save it.
import boto3 bucket = '<Bucket-Name>' key = '<Object-Name>' s3 = boto3.resource('s3') obj = s3.Object(bucket, key) body = obj.get()['Body'].read().decode('utf-8') print(body)
- Run the program python3 cons3fromEC2Role.py
Case 2 – Verify s3 Write access from EC2
- Create an another file Loads3EC2Role.py with below code and Save it
import boto3 s3 = boto3.resource('s3') s3.meta.client.upload_file(Filename='<EC2_File_Location>', Bucket ='<Bucket-Name>', Key='<s3_File_Name>')
- Run the Program python3 Loads3EC2Role.py
As expected the File Upload (Write) operation is failed due to absence of write permission in IAM role.
We are able to establish read access to s3 from EC2 using the Role. So I hope this blog helps you to set up an IAM role to access s3 resource without use of Access keys in AWS.