Question

My app is deployed via Elastic Beanstalk. It needs to access S3. I can do it locally with my own access key, but I don't want to store that anywhere when I deploy. Given that the instance is on Beanstalk, there must be an easier way to auth , perhaps with roles?

I have given full S3 permissions to the role used on the Beanstalk instance but I don't know how to set up the Session.

How can I replace this?:

session = boto3.session.Session(
aws_access_key_id=os.environ.get('AWS_ACCESS_KEY_ID'),
aws_secret_access_key=os.environ.get('AWS_SECRET_ACCESS_KEY')) client = session.client('s3') s3 = session.resource('s3') bucket = s3.Bucket(os.environ.get('S3_BUCKET')) 
# do stuff

Answer 1

The recommended way of managing credentials used to sign API requests to other AWS services is using IAM roles. When an IAM role is attached to an instance, it retrieves a temporary credentials from the instance metadata. These credentials are valid for a limited period of time, however SDK manages them transparently. So, instead of creating and distributing your AWS credentials to instance, you can delegate permissions using IAM role.

When creating the IAM role, in addition to access policies, you have to attach a trust policy (e.g what service can assume this role) as well.

Assume role policy

An assume role policy (also called as a trust policy) is a policy that grants an access to AWS service to use (assume) that particular role. So, if you are using EC2 instance, a trust policy could look like:

{
    "Action": "sts:AssumeRole",
    "Effect": "Allow",
    "Principal": {
        "Service": "ec2.amazonaws.com"
        }

}

Access policy

The access policy on another hand, grants an access to IAM role to specific AWS resources. So, for example the policy for full access to S3 service would look like

{
    "Version": "2012-10-17",
    "Statement": [
       {
        "Effect": "Allow",
        "Action": ["s3:*"],
        "Resource": ["*"]
       }
    ]
}

Once you have a role created and attached to particular instance, you can use SDK without supplying any credential or region to it and use it in your code like

s3 = boto3.resource('s3')
bucket = s3.Bucket(os.environ.get('S3_BUCKET'))