Grant S3 access to Elastic Beanstalk instances

Question

I'm trying to provision my EC2 instances in Elastic Beanstalk with some ssh keys from a private S3 bucket. Here's a snippet of my .ebextensions/.config:

files:
  "/root/.ssh/id_rsa" :
    mode: "000400"
    ownder: root
    group: root
    source: https://s3-us-west-2.amazonaws.com/<bucket>/<app>_id_rsa

Unfortunately, I'm getting a 403 response from S3. Is there a way to grant access to the EC2 instances using a Security Group? I can't grant each instance access individually as I won't know their IPs before they are scaled. Is there some other way to grant just this Elastic Beanstalk app access? I'm having trouble coming up with a good S3 Bucket Policy...

This worked for me: http://stackoverflow.com/questions/26394673/permission-denied-while-elastic-beanstalk-is-retrieving-s3-file — Tim Fulmer, Feb 02 '15 at 17:17

score 17 · Answer 1 · answered Feb 13 '14 at 02:05

17

You can setup a IAM Role for S3 access and assign the IAM Role to EC2.

IAM Roles for Amazon EC2

answered Feb 13 '14 at 02:05

study

5,051
3
32
42

6

Just to add some extra clarity: There should be an IAM Role already for `aws-elasticbeanstalk-ec2-role` to which you can attach a new policy for your s3 bucket access within your IAM Role web console. That being said, I've found it to be more prudent to create new roles for different environments. – chaseadamsio Feb 11 '15 at 12:10
12

I was misled by several other contributions for this problem as well, namely trying to muck around with the "Bucket Policy". It turns out, you have to add the `AmazonS3FullAccess` Policy to the `aws-elasticbeanstalk-ec2-role` – tom Sep 07 '17 at 02:14
2

@tom exactly what I needed – Louis Sep 27 '19 at 12:41
1

@tom thanks tom, you should convert this to an answer. really helpful – Trevor Wood Aug 05 '20 at 21:35

score 2 · Answer 2 · answered Apr 05 '17 at 12:49

According to Amazon Documentation, you need to use a resource key with to add an authentication in order to download private file from an s3 bucket. Here is an example from their website:

Resources:
      AWSEBAutoScalingGroup:
        Metadata:
          AWS::CloudFormation::Authentication:
            **S3Auth:**
              type: "s3"
              buckets: ["**elasticbeanstalk-us-west-2-123456789012**"]
              roleName:
                "Fn::GetOptionSetting":
                  Namespace: "aws:autoscaling:launchconfiguration"
                  OptionName: "IamInstanceProfile"
                  DefaultValue: "***aws-elasticbeanstalk-ec2-role***"

files:
  "**/tmp/data.json**" :
    mode: "000755"
    owner: root
    group: root
    authentication: "**S3Auth**"
    source: **https://s3-us-west-2.amazonaws.com/elasticbeanstalk-us-west-2-123456789012/data.json**

All the text in bold, needs to be replaced with custom content unique to your own environment except aws-elasticbeanstalk-ec2-role which is IAM role for the environment created by default, you can replace it with another IAM role. Once the resource has been identified, you can re reuse on as many files as possible. You can get more information here http://docs.aws.amazon.com/elasticbeanstalk/latest/dg/customize-containers-ec2.html#linux-files

score 2 · Answer 3 · answered Jul 27 '18 at 12:11

2

first click on the tab below

then click on the added role

and add AmazonS3FullAccess access policy

answered Jul 27 '18 at 12:11

Ahmet Şimşek

798
1
8
20

score 1 · Answer 4 · answered Aug 29 '18 at 13:02

In my case I tried creating a new EC2 role that would include access policy to S3, but could not get it working, as it seems by default this role does not get attached to ec2 instances? Played around with VPC S3 bucket roles, but that only messed up bucket and locked me out. The proper solution was to add the S3 access policy to already existing ElasticBeanstalk role:

aws-elasticbeanstalk-ec2-role

that @chaseadamsio and @tom mentioned, thank you for that.

Grant S3 access to Elastic Beanstalk instances

4 Answers4

Linked