- Newest
- Most votes
- Most comments
Hi Abishek,
First I would say that using the root account for administrative purposes is not recommended. We recommend creating a admin user and then locking the root account credentials in a safe place. Read this documentation here for that purpose https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#lock-away-credentials
That said, I understand what you are trying to do is to allow a EC2 instance to access a S3 bucket in a secure manner. The steps to do this would be
- Create a IAM Role with the required AWS S3 permissions (AmazonS3FullAccess grants access to ALL S3 buckets, so make sure that's what you intend, otherwise create a policy with more restrictive permissions).
- Go to EC2 service and attach the created role to the instance
- Test that you can access the buckets from that instance using either the AWS CLI or another product.
This will distribute credentials in a secure manner to the instance.
Hope this helps!
As mentioned above the best way to have a process on an EC2 instance access another service like S3 is to use the Instance Profile (Role) feature. Then the EC2 service makes the call to the STS service on your behalf and the CLI and SDKs know where to access the temporary credentials.
However, if you want an IAM user to assume a role on the EC2 instance, you do not need to attach the Instance Profile (Role) to the instance. You will need to install the IAM User's credentials on the instance using aws configure
. Then you can issue the aws sts assume-role
call and get back temporary credentials for the role. Then you can set environment variables with these values or install them in the ~/.aws/credentials file with the aws configure --profile my-role
command.
Thanks a lot for your response!! This would work. I have another question... Suppose there is a IAM user with EC2 and S3 Full access and then I create a role with S3Full access only. Also, in trusted relationship, I have defined the principal similar to arn:aws:iam::123456789012:user/username. So what would happen in this case? Will the user ONLY able to access S3 OR able to access both? If both, then why as there is a role defined for the user to access S3 only? Thanks in advance!!
Regards, Abhishek
Thanks a lot for your response!! This would work.
I have another question... Suppose there is a IAM user with EC2 and S3 Full access and then I create a role with S3Full access only. Also, in trusted relationship, I have defined the principal similar to arn:aws:iam::123456789012:user/username. So what would happen in this case? Will the user ONLY able to access S3 OR able to access both? If both, then why as there is a role defined for the user to access S3 only?
Thanks in advance!!
Regards, Abhishek
Can you only be one principle at a time. If the API call is signed with the User credentials, then the policies enforce for that user are evaluated for authorization. If you sign the API with the role credentials, the policies enforce for that role are evaluate for authorization.
Relevant content
- asked a year ago
- asked 10 months ago
- AWS OFFICIALUpdated 7 months ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 2 years ago
Thanks a lot for your response.
However, I want to try this scenario with help of Security Token Service.. is this possible?
Thanks, Abhishek