How to authenticate session in application running on Beanstalk with boto3

+1 vote

My app is deployed via Elastic Beanstalk. It needs to access S3. I can do it locally with my own access key, but I don't want to store that anywhere when I deploy. Given that the instance is on Beanstalk, there must be an easier way to auth , perhaps with roles?

I have given full S3 permissions to the role used on the Beanstalk instance but I don't know how to set up the Session.

How can I replace this?:

session = boto3.session.Session(
aws_access_key_id=os.environ.get('AWS_ACCESS_KEY_ID'),
aws_secret_access_key=os.environ.get('AWS_SECRET_ACCESS_KEY')) client = session.client('s3') s3 = session.resource('s3') bucket = s3.Bucket(os.environ.get('S3_BUCKET')) 
# do stuff
Aug 28, 2018 in AWS by bug_seeker
• 15,350 points
67 views

1 answer to this question.

0 votes

The recommended way of managing credentials used to sign API requests to other AWS services is using IAM roles. When an IAM role is attached to an instance, it retrieves a temporary credentials from the instance metadata. These credentials are valid for a limited period of time, however SDK manages them transparently. So, instead of creating and distributing your AWS credentials to instance, you can delegate permissions using IAM role.

When creating the IAM role, in addition to access policies, you have to attach a trust policy (e.g what service can assume this role) as well.

Assume role policy

An assume role policy (also called as a trust policy) is a policy that grants an access to AWS service to use (assume) that particular role. So, if you are using EC2 instance, a trust policy could look like:

{
    "Action": "sts:AssumeRole",
    "Effect": "Allow",
    "Principal": {
        "Service": "ec2.amazonaws.com"
        }

}

Access policy

The access policy on another hand, grants an access to IAM role to specific AWS resources. So, for example the policy for full access to S3 service would look like

{
    "Version": "2012-10-17",
    "Statement": [
       {
        "Effect": "Allow",
        "Action": ["s3:*"],
        "Resource": ["*"]
       }
    ]
}

Once you have a role created and attached to particular instance, you can use SDK without supplying any credential or region to it and use it in your code like

s3 = boto3.resource('s3')
bucket = s3.Bucket(os.environ.get('S3_BUCKET'))

answered Aug 28, 2018 by Priyaj
• 56,520 points

Related Questions In AWS

+1 vote
1 answer

How to make an application private on AWS Elastic Beanstalk?

Like you said by default, your application ...READ MORE

answered Oct 25, 2018 in AWS by Archana
• 5,560 points
38 views
0 votes
1 answer

How to copy a folder from S3 to Elastic Beanstalk instance on its creation?

I had encountered similar problem. But i ...READ MORE

answered Aug 24, 2018 in AWS by Archana
• 4,090 points
578 views
0 votes
1 answer

Configure Application load balancer to route http to https in Elastic beanstalk

From this document: To update your Elastic Beanstalk environment to ...READ MORE

answered Sep 6, 2018 in AWS by Priyaj
• 56,520 points
219 views
0 votes
1 answer

In Amazon Data Pipeline, how to make sure only once instance of a pipeline is running at any time?

On the CopyTablesActivity, you could set a lateAfterTimeout attribute ...READ MORE

answered Sep 19, 2018 in AWS by Priyaj
• 56,520 points
271 views
+13 votes
2 answers

Git management technique when there are multiple customers and need multiple customization?

Consider this - In 'extended' Git-Flow, (Git-Multi-Flow, ...READ MORE

answered Mar 26, 2018 in DevOps & Agile by DragonLord999
• 8,380 points
152 views
0 votes
1 answer
0 votes
1 answer

How to allow the application to communicate back to the on premise equipment?

The connection would need to be either ...READ MORE

answered Aug 16, 2018 in AWS by Priyaj
• 56,520 points
26 views
0 votes
1 answer