In this tutorial, I have shown how to connect to s3 buckets from your EC2 instance using IAM roles which can be really helpful if you want to avoid setting API keys on your server. Before we get started, lets discuss on what is IAM roles?
Table of Contents
What is IAM role
An IAM role is an IAM identity that you can create in your account that has specific permissions. An IAM role is similar to an IAM user, in that it is an AWS identity with permission policies that determine what the identity can and cannot do in AWS.
So the IAM role is applied to AWS services and it can do all the actions that a normal IAM user can do. The only benefit it has is, it doesn’t require any API key to execute those actions. So if you create an IAM role and assigns it to any AWS service like EC2 / Lambda / CloudWatch then it can access other services that are defined in the IAM role, without creating any API key or secret.
Benefits of using IAM role over API key
So now we will discuss what are the benefits of using IAM role over API keys. First of all, it’s really secured compared to API keys, because your API keys can be exposed by some other developers in your team, and then you are at a big risk of malicious usages of your API keys. Anyone who has that API keys can really do API calls from anywhere and run EC2 / RDS for their own usages. You will probably notice that in your monthly bills, but that’s already too late. But IAM roles are assigned to AWS services like EC2, RDS or Lambda, etc and there is no risk of losing API key here because there is no API key available for the IAM role.
Another problem with an API key is that, if you change the secret of the API key for any reason you need to change it everywhere it’s being used, otherwise it wouldn’t work. And this can make your application suddenly un-usable because the new API keys not updated here for whatever reason. These are the main benefits of using the IAM role over API keys and I always suggest to use IAM role for accessing AWS services rather than API keys.
An example of using IAM role
Previously we discussed that IAM roles are really great compared to API keys and now we will show you an example where we have used the IAM role to access S3 from EC2. To accomplish this example, let’s follow the steps below.
- Create a new EC2 instance using Amazon Linux which has AWS CLI pre-installed. I have an example of creating an EC2 instance from scratch which you can view here.
- Then create an IAM role for EC2, so that it has full access to S3. If you already know how to create an IAM role then go to the next step 3, otherwise check the below steps.
- Go to the IAM section by clicking this link.
- Then Go to the Roles section here.
- Then click on the ‘Create Role’ button to create a new role.
- Chose the service EC2 from the service list. A screenshot attached
- Click next and then choose this pre-configured policy “AmazonS3FullAccess”. Screen-shot attached
- Then click next to add tags. This is optional and you can skip this if you want.
- The next screen is where you need to give a name of the Role. I would suggest giving a meaningful name like “EC2RoleS3” so that later on you easily identify what was the purpose of this role.
- And lastly, click on the “Create role” button to create the IAM role.
- Then Assign that role to that Instance. To do that, you first need to go to the EC2 dashboard, and then go to instances. Over there select an instance and then click on actions. You will see a list of possible actions, then chose ‘Instance settings’ and then chose ‘Modify IAM role’. Screenshot attached.
- Next, you will see a list of Roles available for EC2 and chose the one that is just created.
- Next, you need to connect to that instance via Putty or Terminal.
- Now using AWS CLI run “aws s3 ls“. Which will list all the buckets in S3.
- So that’s it, you have successfully created an IAM role and assigned to an EC2 instance and then run AWS CLI to make some API calls using that IAM role.
We discussed here what is IAM role and what are the benefits of using the IAM role instead of API keys. In short, we can say that the IAM role is a much more secure way to make API calls compared to API keys. So whenever you have the opportunity to use the IAM role, we should use that to make a secured application.
Lastly, I just created a video tutorial that I just described, which might help you to try by yourself of this example.