By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

Setting up an IAM Role for Raspberry Pi (Boto3 - S3)

0

Hello, All.

I have a Raspberry Pi 4 that I would like to be able to read private .csv files from my S3 bucket using Boto3 & Python.

I've already written a Python script to do so, however I'm unsure how to set up the credentials properly, to allow the Pi to access the bucket which currently has all public access blocked.

I do know that I should set up my access key, secret key and region as environment variables on the Pi, but I'm unsure how to get the keys properly. I bold properly because when I went to create access keys in the Security Credentials menu, I was warned that this is a bad practice to use root access credentials and that it would be better to create an IAM Role for my device. Additionally, after doing some research, I saw that it would also be bad practice to create a "User" for the Pi, as it doesn't need login credentials.

So it seems quite definitively that the best way forward is to create an IAM Role for my Pi. I just can't figure out how to do that for this particular use-case. One suggestion was to create a Role as an "AWS service" and then select E2C as the service, but that doesn't seem right to me.

Any advice would be greatly appreciated.

Best, Joe

Topics
Security, Identity, & Compliance
Tags
AWS Identity and Access Management
Language
English
joebro391
asked 2 months ago99 views
2 Answers
1

Creating an IAM role for a Raspberry Pi to access an S3 bucket is not a straightforward process, as IAM roles are typically designed for AWS services. However, you can achieve secure access to your S3 bucket using a combination of IAM user and policies. Here's a recommended approach:

  1. Create an IAM user specifically for your Raspberry Pi:

    • Go to the IAM console and create a new user.
    • Do not assign console access, only programmatic access.

  2. Create a custom IAM policy:

    • Define a policy that grants only the necessary permissions to access your specific S3 bucket.
    • Limit the actions to only what's required (e.g., s3:GetObject, s3:ListBucket).

  3. Attach the custom policy to the IAM user.

  4. Generate access keys for the IAM user:

    • In the IAM console, create access keys for this user.
    • Securely store these credentials.

  5. On your Raspberry Pi:

    • Set up environment variables for AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, and AWS_DEFAULT_REGION.
    • Alternatively, use the AWS CLI to configure these credentials locally.

  6. Implement additional security measures:

    • Use encryption for your S3 objects.
    • Regularly rotate the access keys.
    • Monitor and audit the usage of these credentials.

  7. In your Python script:

    • Use boto3's default credential chain, which will automatically pick up the environment variables or local configuration.

This approach provides a balance between security and practicality for a Raspberry Pi scenario. While it's not using a role directly, it follows the principle of least privilege and avoids using root credentials.

Remember to keep your access keys secure and never commit them to version control systems. Regularly review and update your IAM policies and access keys to maintain security.

Sources
Upload files into a S3 since a external Server | AWS re:Post
vpc endpoint interface and S3 | AWS re:Post

profile picture
re:Post Agent
answered 2 months ago
profile picture
EXPERT
Riku_Kobayashi
reviewed 2 months ago
0

Hello.

In your case, it fits the use case described in the following document, so I think it is fine to use the access key of an IAM user.
However, as stated in the documentation, if you use an IAM user, I recommend that you configure it to allow only the actions required for operations on S3.
https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#update-access-keys

Update access keys when needed for use cases that require long-term credentials

Also, when creating an IAM user there is a setting called "Enable console access". By disabling this setting it is possible to prevent the IAM user for Raspberry Pi from accessing the management console.
https://docs.aws.amazon.com/IAM/latest/UserGuide/id_users_create.html

Alternatively, you can use IAM Roles Anywhere to access AWS services using temporary credentials.
In this case, the access key for the IAM user is not required, so access can be implemented using an IAM role.
However, please be aware that authentication methods using ACM Private CA can be expensive.
If you use a certificate from your own private CA, you don't need to worry about the cost.
https://aws.amazon.com/jp/blogs/security/extend-aws-iam-roles-to-workloads-outside-of-aws-with-iam-roles-anywhere/

profile picture
EXPERT
Riku_Kobayashi
answered 2 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content