Scenario:
An application running on an Amazon EC2 instance needs to access an Amazon S3 bucket to read and write files. However, you do not want to hardcode the AWS access key and secret access key in the EC2 instance.
Solution:
You can use an IAM role to grant the EC2 instance the necessary permissions to access the S3 bucket.
To set this up, you would create an IAM role with permissions to access the S3 bucket and then attach the role to the EC2 instance. The EC2 instance can then use the role's temporary security credentials to access the S3 bucket.
To create an IAM role and attach it to an Amazon Elastic Compute Cloud (EC2), and then allow the EC2 instance to access an Amazon Simple Storage Service (S3)bucket using the command line. Here's an example of how you might do this:
First of all, please make sure to configure the AWS CLI.
Step 1:
Once the CLI is configured, you can create an IAM policy using the create-policy command. For example, to create a policy called "s3-access-policy.json" with permissions to access S3, you might use a command like this:
aws iam create-policy --policy-name s3-access-policy --policy-document file://s3-access-policy.json
The s3-access-policy.json file in this example would contain a JSON document describing the permissions that you want to grant to the role. You can find more information on creating policy documents at Policies and permissions in IAM
Here's an example policy document that would allow the policy to read and write objects in an S3 bucket called my-s3-bucket1232023:
{
"Version": "2012-10-17",
"Statement": [{
"Effect": "Allow",
"Action": [
"s3:ListBucket",
"s3:GetObject",
"s3:PutObject"
],
"Resource": [
"arn:aws:s3:::my-s3-bucket1232023",
"arn:aws:s3:::my-s3-bucket1232023/*"
]
}]
}
Step 2:
Create an policy which is an JSON file that defines trust relationship of IAM role like here we are creating ec2-assume-policy.json file which would contain a JSON document describing the permissions that you want to grant to the role.
Here's an example policy document that would allow the role to be assumed by EC2 instances:
{
"Version": "2012-10-17",
"Statement": [{
"Effect": "Allow",
"Principal": {
"Service": "ec2.amazonaws.com"
},
"Action": "sts:AssumeRole"
}]
}
Step 3:
Once the trust policy has been created, you can create an IAM role using the create-role command. you can create an IAM Role using 'create-role' command from aws-cli-create-role-command-docs
aws iam create-role --role-name MyEC2RoleToAccessS3 --assume-role-policy-document file://ec2-assume-policy.json
Step 4:
Once the role has been created, you can attach it to an EC2 Instance using the attach-role-policy command as seen below.
`aws iam attach-role-policy --role-name MyEC2RoleToAccessS3 --policy-arn "arn:aws:iam::642434777320:policy/s3-access-policy"`
Step 5:
Call the create-instance-profile command, followed by add-role-to-instance-profile command to create the IAM Instance profile MyEC2RoleToAccessS3
aws iam create-instance-profile --instance-profile-name MyEC2RoleToAccessS3InstProfile
aws iam add-role-to-instance-profile --role-name MyEC2RoleToAccessS3 --instance-profile-name MyEC2RoleToAccessS3InstProfile
Step 6:
Finally, attach the IAM role to an existing EC2 instance that was originally launched without an IAM role using the associate-iam-instance-profile command to attach the instance profile MyEC2RoleToAccessS3 for the newly created IAM Role, MyEC2RoleToAccessS3. For example:
aws ec2 associate-iam-instance-profile --instance-id i-0963e29cdd7ce325f --iam-instance-profile Name=MyEC2RoleToAccessS3InstProfile
After performing all these 6 steps, an EC2 instance will be associated using given IAM Role MyEC2RoleToAccessS3, and Now, the EC2 instance will have the necessary permissions to access the S3 bucket through the IAM role.
As we have given permission for only accessing the specific bucket (my-s3-bucket1232023), that's why we are only available to access that and not able to access any other bucket except this.
