Mount S3 bucket to EC2 with IAM policy - step by step

Denys Bochko — Wed, 25 May 2022 19:18:15 +0000

I had to go through that process recently and I wanted to share what I had to do to accomplish that.

Prerequisite: ready and running EC2 instance and an S3 bucket has been created.

Install s3fs (S3 files system)

Update the system

sudo yum update

Install dependencies

sudo yum install automake fuse \
fuse-devel gcc-c++ git libcurl-devel \
libxml2-devel make openssl-devel

Download s3fs code from the source

git clone https://github.com/s3fs-fuse/s3fs-fuse.git

Install it

# cd s3fs-fuse\r\n# ./autogen.sh
# ./configure — prefix=/usr — with-openssl
# make 
# sudo make install

Make sure it is installed properly

which s3fs

This will give you the location of its binaries

IAM policy and role.

We need to create a policy that will give EC2 access to that S3 bucket and then we will assign that policy to a role that will be assigned to our EC2 instance.

Create an IAM policy

This is the JSON of the policy. You can modify it to your needs, this particular policy only needs to manage to read/write/delete files into that bucket.


    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "s3:PutObject",
                "s3:GetObject",
                "s3:ListBucket",
                "s3:DeleteObject"
            ],
            "Resource": [
                "arn:aws:s3:::<your_bucket_here>/*",
                "arn:aws:s3:::<your_bucket_here>"
            ]
        }
    ]
}

Save the policy.

Create IAM role

Now we need to create a role based on that polity. Head to roles in IAM and click on "Create".

Select "AWS service" and EC2 under "Use case"

On the next screen select the policy you just created.

Hit "Next" will bring you to the next screen where you name the role and create its description.

Hit "Create role" and you are done.

Assign that role to your EC2 instance.
NOTE: the location specified is as of May 13, 2022, AWS UI can change

All the way to EC2 section, select your EC2 instance and under "Actions" which is on the top right select "Security"-> Modify IAM role.

That will lead to another page to select the role you just created and assign it to your EC2.

Ok, we are done here.

The mounting

Create a mounting point.
It can be a dir anywhere.

Mounting command

s3fs -o iam_role="<your_iam_role>" \
     -o url="https://<your_aws_zone>.amazonaws.com" \
     -o endpoint=<your_aws_zone> \
     -o dbglevel=info \
     -o umask=000,uid=1000 \
     -o curldbg \
     -o allow_other \
     -o nonempty \
     -o <s3_bucket_name> <mounting_point

your_iam_role is the role created and assigned to EC2
your_aws_zone is the AWS zone your bucket is in. It can be found in bucket properties. I am in Canada, so will be ca-central-1

umask 000 is what is going to make your dir writable if webserver needs to be put files there.
nonempty only needs if the dir has anything in it, otherwise skip it

This worked for me.

The Ops Community ⚙️: Denys Bochko

Mount S3 bucket to EC2 with IAM policy - step by step

Install s3fs (S3 files system)

IAM policy and role.

The mounting