-
Notifications
You must be signed in to change notification settings - Fork 8
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
1 parent
508839e
commit 4e6bed1
Showing
3 changed files
with
39 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,3 +1,38 @@ | ||
Enable S3 access from EC2 by IAM role | ||
===================================== | ||
|
||
I've promised you :ref:`in the beginner tutorial <mention-ec2-iam-label>` that you can skip ``aws configure`` before using AWSCLI on EC2. Here is how. | ||
|
||
What is Identity and Access Management (IAM) | ||
-------------------------------------------- | ||
|
||
`Identity and Access Management (IAM) <https://aws.amazon.com/iam/>`_ is a very powerful ultility to **control the permissions** of your AWS resources. More specifically, a "permission" is: | ||
|
||
**X is allowed to use Y** | ||
|
||
"Y" is generally some AWS resources, like EC2 or S3. In the most common case, "X" can is a specific user. You can create multiple **users** under a single AWS **account** (an "account" is tied to a single credit card); each user can have its unique ID, password, and permissions. This is useful for managing a research group, but not quite useful if you are the only user. | ||
|
||
The :ref:`Researcher’s Handbook <researcher-handbook-label>` has very detailed instructions on how to set multiple users (called "IAM users"), so I will not repeat it here. You, the account owner, are also encouraged to create an IAM user for yourself, instead of using the root AWS account to log in (as you've been doing till now). This is again for security reasons. An IAM user will never have access to the billing information and your credit card number, even if that user has the most powerful "AdministratorAccess" which is almost equivalent to root access. | ||
|
||
.. note:: | ||
Yes, there are just so many "security best practices" on AWS (Key Pairs, security groups, IAM users...), and their benefits are not intuitive to researchers who really just want to get the computing done and publish papers. But please do check out those security stuff when you have time. | ||
|
||
To further complicate things, **"X" doesn't have to be a human user, but can also be a AWS resource**. This is what we want to do here -- grant S3 access to our EC2 instances, i.e. | ||
|
||
| **"X" = our EC2 instances** | ||
| **"Y" = S3 buckets** | ||
"Y" can also be more detailed as "read-only access to S3" (so, no write access) or even "read-only access to a specific S3 bucket" (so, no access to other buckets). All those possible combinations make the IAM console kind of daunting for beginners. Fortunately, here we only need to enable a simple permission rule, which it is very easy to do. | ||
|
||
Grant S3 permission to EC2 | ||
-------------------------- | ||
|
||
|
||
Create a new IAM role | ||
^^^^^^^^^^^^^^^^^^^^^ | ||
|
||
|
||
|
||
Assign that role to EC2 | ||
^^^^^^^^^^^^^^^^^^^^^^^ | ||
|