Configuring an EC2 role for IAM Role in AWS S3 Account

Overview

To access the S3 bucket using an Identity and Access Management (IAM) role in the AWS S3 account, you need to configure the EC2 instance and store it in the IAM role instead of the normal AWS authentication used to access the S3 bucket. 

The IAM role is valid only in Groundplex nodes hosted in the EC2 environment.

Using the IAM roles, you can delegate the required permissions as follows:

  • Create an IAM role in the AWS.

  • Define the accounts that can assume the role.

  • Specify the role when you launch your instance or attach the role to an existing instance.

Key Components

The four key components involved with the configuration of the IAM role in the AWS S3 Account are as follows:

  • IAM role

  • EC2 instance

  • AWS S3 Account

  • Policies

Prerequisites

EC2 instance with active and running JCC with the global property set as: jcc.jvm_options=-DIAM_CREDENTIAL_FOR_S3=TRUE

 

The JCC (Java Component Container) is a node on the Data Plane that handles Pipeline executions. To set the global property of the Snaplex click the Node Properties tab to configure the nodes associated with the Snaplex. Learn how to create a Snaplex in Manager.

Key Steps

Create an IAM role in the AWS

  1. Log in to the AWS console. Open the IAM console, navigate to Access Management > Roles, and click the Create role button.

  2. Select the AWS service as the Trusted entity type, and EC2 as the Use case and click Next.

  3. In Add permissions policies page, select all or desired policies that grant your instances access to the resources and then choose Next. A policy defines the AWS permissions you can assign to a user, group, or role. The permissions can be Custom-managed or AWS-managed and are created or edited in the visual editor and using JSON.

  4. Optionally, as appropriate add tags. Click Next: Tags to skip to the next screen.

  5. Specify a Role name and description. in the Name, review, and create page.

  6. Review the details and add a name for the role and click Create role.

     

This is an example of a Custom managed policy min_sl_required_s3_permission, which contains minimum actions for all AWS S3 Snaps for accessing the bucket test-bucket. You should be able to read and write files in the bucket that is created. Learn more about creating custom-managed policies using AWS Management Console, AWS CLI, or AWS API in IAM, Define custom IAM permissions with customer managed policies - AWS Identity and Access Management

{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:GetObject",
"s3:GetObjectTagging",
"s3:ListBucket",
"s3:PutObjectTagging",
"s3:DeleteObject",
"s3:PutObjectAcl",
"s3:GetObjectVersion"
],
"Resource": [
"arn:aws:s3:::test-bucket/",
"arn:aws:s3:::test-bucket"
]
},
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": "s3:ListAllMyBuckets",
"Resource":" "
}
]
}

Attach an IAM Role to an Instance

To attach an IAM role to an instance which is either in a stopped or running state:

  1. Navigate to the EC2 web console, and select Instances. Choose the required instance.

  2. From the Actions dropdown menu, select Security > Modify IAM role.

  3. Select the IAM role created and click Update IAM role. You also have the option to create a new IAM role from the EC2 web console.

Cross-Account IAM Role

Cross-Account IAM Role enables a client from an AWS account to access the resources of another AWS account temporarily using the Binary Snaps that support reading from or writing into S3 buckets. This helps organizations or different teams in an organization to access each other's AWS accounts without compromising security by sharing AWS credentials. Learn more about configuring Cross-Account role: Configuring Cross Account IAM Role Support

{ "Version":2012-10-17 "Statement": { "Effect": "Allow", "Action": "sts:AssumeRole", "Resource": "arn:aws:iam::783609457777:role/snap10512-s3-read-role" } ] }

Modify or Create Policies associated with the Role

  1. In your AWS console, click Policies and select the policy attached to the role from the list displayed.

  2. Click the JSON tab and enter the following policy in the editor and click Review Policy.

  3. Review the policy summary. Add a name and, optionally, a description for this policy, and select Create policy. The policy is created and can be assigned to the Cross-Account IAM role. 

    {     "Version": "2012-10-17",     "Statement": [         {             "Effect": "Allow",             "Action": "sts:AssumeRole",             "Resource": "<Role ARN>"         }     ] }

     

AWS S3 Account Configuration Scenarios

Scenario

IAM Policy and Account Details

Authenthication Keys and Fields

Scenario

IAM Policy and Account Details

Authenthication Keys and Fields

IAM role and EC2 instance are in the same account

  • IAM Policy attached to S3 Account

  • IAM Role attached to the EC2 instance

  • Access-key ID and Secret key fields are needed

  • Select IAM Role checkbox

IAM role is in another account

  • IAM Policy that assumes the IAM role account

  • Cross-Account Settings

  • Amazon Resource Name (ARN) of the IAM role

AWS S3 Account

You can use the AWS S3 account to connect the Binary Snaps with data sources that are in AWS S3 with valid permissions based on the Snap and intended operation.
For details on creating an AWS S3 Account and account-specific details along with troubleshooting details, refer to AWS S3 Account.


Related Content