The Ops Community

Denys Bochko
Denys Bochko

Posted on

Mount S3 bucket to EC2 with IAM policy - step by step

I had to go through that process recently and I wanted to share what I had to do to accomplish that.

Prerequisite: ready and running EC2 instance and an S3 bucket has been created.

Install s3fs (S3 files system)

Update the system

sudo yum update
Enter fullscreen mode Exit fullscreen mode

Install dependencies

sudo yum install automake fuse \
fuse-devel gcc-c++ git libcurl-devel \
libxml2-devel make openssl-devel
Enter fullscreen mode Exit fullscreen mode

Download s3fs code from the source

git clone https://github.com/s3fs-fuse/s3fs-fuse.git
Enter fullscreen mode Exit fullscreen mode

Install it

# cd s3fs-fuse\r\n# ./autogen.sh
# ./configure — prefix=/usr — with-openssl
# make 
# sudo make install
Enter fullscreen mode Exit fullscreen mode

Make sure it is installed properly

which s3fs
Enter fullscreen mode Exit fullscreen mode

This will give you the location of its binaries

IAM policy and role.

We need to create a policy that will give EC2 access to that S3 bucket and then we will assign that policy to a role that will be assigned to our EC2 instance.

Create an IAM policy

This is the JSON of the policy. You can modify it to your needs, this particular policy only needs to manage to read/write/delete files into that bucket.


    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "s3:PutObject",
                "s3:GetObject",
                "s3:ListBucket",
                "s3:DeleteObject"
            ],
            "Resource": [
                "arn:aws:s3:::<your_bucket_here>/*",
                "arn:aws:s3:::<your_bucket_here>"
            ]
        }
    ]
}
Enter fullscreen mode Exit fullscreen mode

Save the policy.

Create IAM role

Now we need to create a role based on that polity. Head to roles in IAM and click on "Create".

Select "AWS service" and EC2 under "Use case"

IAm role setup

On the next screen select the policy you just created.

Hit "Next" will bring you to the next screen where you name the role and create its description.

Hit "Create role" and you are done.

Assign that role to your EC2 instance.
NOTE: the location specified is as of May 13, 2022, AWS UI can change

All the way to EC2 section, select your EC2 instance and under "Actions" which is on the top right select "Security"-> Modify IAM role.

That will lead to another page to select the role you just created and assign it to your EC2.

Ok, we are done here.

The mounting

Create a mounting point.
It can be a dir anywhere.

Mounting command

s3fs -o iam_role="<your_iam_role>" \
     -o url="https://<your_aws_zone>.amazonaws.com" \
     -o endpoint=<your_aws_zone> \
     -o dbglevel=info \
     -o umask=000,uid=1000 \
     -o curldbg \
     -o allow_other \
     -o nonempty \
     -o <s3_bucket_name> <mounting_point
Enter fullscreen mode Exit fullscreen mode

your_iam_role is the role created and assigned to EC2
your_aws_zone is the AWS zone your bucket is in. It can be found in bucket properties. I am in Canada, so will be ca-central-1
how to locate aws zone in s3
umask 000 is what is going to make your dir writable if webserver needs to be put files there.
nonempty only needs if the dir has anything in it, otherwise skip it

This worked for me.

Discussion (0)