How to give AWS EC2 Instance permissions with IAM Roles and Hardcoded Keys?
Hey there! I'm Imran, I am working with DevOps tools and technologies. I believe in learning in public, sharing my learnings and knowledge with everyone in the community and learn from everyone in the community.
We can give permissions to EC2 Instances by two ways. One is with Hardcoded Keys and other way is with IAM Roles.
Part 1: Permissions with Hardcoded Keys
Go to IAM Dashboard
Click on User in the left navigation panel
Add a user and give him programmatic access
Click Next and Select the Attach Existing policy directly
Search and add AmazonS3FullAccess Use the search box to search for those policies and click the checkbox
- Click Next Tags and review and create a user.
- Click show and save the access key and secret key somewhere. Or download the CSV file if you want as well.
Launch an Amazon Linux EC2 Instance
SSH into it
Let's say you want to work with Amazon S3 from this instance. Make some buckets and list some buckets. You can use the AWS Command Line interface. Amazon Linux AMI has this installed already.
Configure the AWS CLI
Enter the access key and secret access keys you generated earlier
Enter the name of your region
Create a S3 bucket from AWS CLI with a random name. If you have proper permissions you will be able to both create and list s3 buckets.
List your S3 buckets.
You just used Access keys to connect to S3 from EC2.
View the credential file. Hardcoded credentials are insecure from a security perspective.
Delete the file . This will remove the credentials
Try to list the buckets now. You shouldn't be able to because we cleared the access keys.
Part 2: Permissions with IAM Roles
- Go to IAM Dashboard and click on Roles
- Click Create Role and Select EC2 to be the service using this role
Click next Permissions and select AmazonS3FullAccess policy and attach to this role. Also select AmazonEC2FullAccess policy for this role. We will reuse this role in the next lab.
Click Next Until you see the screen to enter the Role Name.Enter the name and description for the role. Verify you have S3 and EC2 access policies attached and create the Role.
- Go to EC2 Instance Page. Select the EC2 instance , Click Actions and Attach IAM Role. Attach the role we created in the previous step.
Now go back to the EC2 instance.
Enter command to list s3 buckets. You should be able to
(OPTIONAL) Remove the Role we added a few steps back and try the S3 list command again. It shouldn't work.
*Now you know how to give access to S3 and other AWS services using access keys and Role. And you also know Roles are safer because it uses temporary Credentials. *
How Roles work
Roles use temporary credentials that rotate every 30 minutes or so and are a lot safer than hardcoding keys.
Type this command inside your EC2 to view temporary credentials for the role attached to EC2
So this is the article/blog. I hope you find it informative and helpful. If you like it please follow , like and share. I will keep writing informative blogs related to DevOps. Please give your feedback in the comments and checkout my other articles as well. Thank You !!!!