top of page

How to create AWS IAM Role and connect S3 with EC2

Writer's picture: Elite CloudElite Cloud

AWS IAM provides many different methods to securely manage the services provided by AWS. One of these is the IAM Role, which allows users to avoid storing credentials, thus reducing the risk of unauthorized access. In this role, temporary credentials are dynamically assigned to the AWS Service.


In this article, we will look at how to use an IAM Role to access S3 from EC2 instances. Notably, connecting S3 with EC2 is one of the most common combinations in any deployment.


The benefits of using IAM roles to integrate S3 with EC2 are manifold. Firstly, they allow for granular control over permissions, ensuring that EC2 instances can only perform specific actions on S3 buckets as explicitly allowed. Moreover, they automate credential management, eliminating the need to manually rotate keys or embed them in code. Lastly, using IAM-roles can improve the scalability and maintainability of AWS infrastructure by making it easier to manage permissions as your environment grows or changes.


Prerequisites

Before setting up an IAM role for S3 and EC2 integration, several prerequisites need to be in place:


  1. AWS Account Setup: You should have an active AWS account and be able to log in to the AWS Management Console. Having the necessary permissions to create and manage IAM roles, EC2 instances, and S3 buckets is also important.

  2. Existing EC2 Instances and S3 Buckets: You should have at least one EC2 instance and one S3 bucket in your AWS account. These will be used to demonstrate how the IAM role facilitates the interaction between these services.


Creating the IAM Role

Creating an IAM role involves several steps in the AWS Management Console. Here’s how you can create one specifically for allowing an EC2 instance to access an S3 bucket:


To begin, navigate to the IAM dashboard from the AWS Console. Once inside the dashboard, select “Roles” from the left sidebar.


AWS IAM Dashboard

Subsequently, you will be able to see all the existing roles for the current user. Depending on your account these roles might differ. Now click on the “Create role” button.


Creating IAM Role

In the “Trusted entity type” selection, choose “AWS service” since we are going to be using it for an AWS service. The IAM Role can also be used for other purposes shown here.


Selecting trusted entity

Following this, in “Use case,” select EC2 and click on next. To keep this demonstration straightforward, I will focus only on aspects that directly involve the demonstration. 


Selecting use cases

On the next screen, you will see all the pre-made policies for the IAM Role. Type “s3read” in the search bar and select the policy “AmazonS3ReadOnlyAccess,” which will provide the role inheritor access to read S3 files. Disregard the “Set permissions boundary” and click on “Next”.


Adding permission policy

Now, enter a role name and a brief description.


Adding names

Finally, review everything and click on “Create role”.


Creating IAM Roles final step

This action will create the role.


Attaching the IAM Role to an EC2 Instance

After the IAM Role is created, it’s time to attach the permission to an EC2 instance. Navigate to the EC2 instance dashboard, select the EC2 instance and from the “Actions” dropdown menu, select “Security” and click on “Modify IAM Role”.


Attatching AWS IAM role to EC2 instance

Here, select the IAM Role we created and click on “Update IAM role”.


Attatching AWS IAM role to ec2 instance

Consequently, the EC2 instance now has all the permissions it needs to access the S3 bucket.


Accessing S3 buckets from EC2 instance

Now, let’s access S3 buckets from the EC2 instance. Initially, log in to your EC2 instance. If you are not using AWS AMI Amazon Linux, you may need to install the AWS CLI to access S3 buckets.


To verify if you have AWS CLI, execute the command aws –version.


Accessing s3 bucket using AWS CLI

Once it’s confirmed, execute the aws s3 ls command. This command will output all the s3 buckets available in your account, within the region.


Accessing s3 bucket using AWS CLI

We can confirm this bucket’s existence form viewing them in the S3 console.


Accessing S3 bucket from console

Additionally, let’s also see what’s inside the bucket using the aws s3 ls s3://bucketname command.


Accessing s3 bucket using AWS CLI

With the permission we have, we can read, the files and also copy the files to our system. To copy files you can use the command `aws s3 cp s3://bucket/file .`.


Accessing s3 bucket using AWS CLI

And if we try to upload something to the bucket you will notice the access denied error. 


Accessing s3 bucket using AWS CLI

Subsequently, navigate to the IAM role we created, click on “Add permissions” and select “Attach policies”.


Attching policy to EC2

Afterward, add the policy “AmazonS3FullAccess”, so it will provide our ec2 instance write access.


Attching policy to EC2

Once done, run the copy command again. And this time it will work without any issues. 


Uploading files to S3 bucket from EC2 instance using IAM Role

That’s the benefit of using IAM roles, you can change the permissions at any time. Attach multiple instances or AWS services. And also easily delete the role.


How to detach and delete the IAM Role

Firstly, to detach the role, select the same Actions > Security > Modify IAM role.


Detaching IAM Role

Then, choose “No IAM Role” and click on “Update IAM role.”


Detaching IAM Role

Proceed by entering “Detach” as a confirmation. This action will remove the access from the EC2 instance.


Testing IAM Role

Next, to delete the role, navigate to the IAM-role you previously created, and click on the “Delete” button.


Deleting IAM Role

Finally, confirm the deletion by clicking on “Delete” once more.


Deleting IAM Role

This will successfully delete this role.

21 views

Recent Posts

See All
bottom of page