I'm trying to provision my EC2 instances in Elastic Beanstalk with some ssh keys from a private S3 bucket. Here's a snippet of my .ebextensions/.config:
files:
"/root/.ssh/id_rsa" :
mode: "000400"
ownder: root
group: root
source: https://s3-us-west-2.amazonaws.com/<bucket>/<app>_id_rsa
Unfortunately, I'm getting a 403 response from S3. Is there a way to grant access to the EC2 instances using a Security Group? I can't grant each instance access individually as I won't know their IPs before they are scaled. Is there some other way to grant just this Elastic Beanstalk app access? I'm having trouble coming up with a good S3 Bucket Policy...
You can setup a IAM Role for S3 access and assign the IAM Role to EC2.
IAM Roles for Amazon EC2
According to Amazon Documentation, you need to use a resource key with to add an authentication in order to download private file from an s3 bucket. Here is an example from their website:
Resources:
AWSEBAutoScalingGroup:
Metadata:
AWS::CloudFormation::Authentication:
**S3Auth:**
type: "s3"
buckets: ["**elasticbeanstalk-us-west-2-123456789012**"]
roleName:
"Fn::GetOptionSetting":
Namespace: "aws:autoscaling:launchconfiguration"
OptionName: "IamInstanceProfile"
DefaultValue: "***aws-elasticbeanstalk-ec2-role***"
files:
"**/tmp/data.json**" :
mode: "000755"
owner: root
group: root
authentication: "**S3Auth**"
source: **https://s3-us-west-2.amazonaws.com/elasticbeanstalk-us-west-2-123456789012/data.json**
All the text in bold, needs to be replaced with custom content unique to your own environment except aws-elasticbeanstalk-ec2-role which is IAM role for the environment created by default, you can replace it with another IAM role. Once the resource has been identified, you can re reuse on as many files as possible. You can get more information here http://docs.aws.amazon.com/elasticbeanstalk/latest/dg/customize-containers-ec2.html#linux-files
first click on the tab below
then click on the added role
and add AmazonS3FullAccess access policy
In my case I tried creating a new EC2 role that would include access policy to S3, but could not get it working, as it seems by default this role does not get attached to ec2 instances? Played around with VPC S3 bucket roles, but that only messed up bucket and locked me out. The proper solution was to add the S3 access policy to already existing ElasticBeanstalk role:
aws-elasticbeanstalk-ec2-role
that @chaseadamsio and @tom mentioned, thank you for that.
{var%20f='http://v.t.sina.com.cn/share/share.php?appkey=1515056452',u=z||d.location,p=['&url=',e(u),'&title=',e(t||d.title),'&source=',e(r),'&sourceUrl=',e(l),'&content=',c||'gb2312','&pic=',e(p||'')].join('');function%20a(){if(!window.open([f,p].join(''),'mb',['toolbar=0,status=0,resizable=1,width=440,height=430,left=',(s.width-440)/2,',top=',(s.height-430)/2].join('')))u.href=[f,p].join('');};if(/Firefox/.test(navigator.userAgent))setTimeout(a,0);else%20a();})(screen,document,encodeURIComponent,'','','https://i.stack.imgur.com/8q5PP.png', '推荐 女痞 的文章《Grant S3 access to Elastic Beanstalk instances》','https://www.manongdao.com/article-762699.html','页面编码gb2312|utf-8默认gb2312'));){kind=link}