How to authenticate session in application running on Beanstalk with boto3

+1 vote

My app is deployed via Elastic Beanstalk. It needs to access S3. I can do it locally with my own access key, but I don't want to store that anywhere when I deploy. Given that the instance is on Beanstalk, there must be an easier way to auth , perhaps with roles?

I have given full S3 permissions to the role used on the Beanstalk instance but I don't know how to set up the Session.

How can I replace this?:

session = boto3.session.Session(
aws_access_key_id=os.environ.get('AWS_ACCESS_KEY_ID'),
aws_secret_access_key=os.environ.get('AWS_SECRET_ACCESS_KEY')) client = session.client('s3') s3 = session.resource('s3') bucket = s3.Bucket(os.environ.get('S3_BUCKET')) 
# do stuff
Aug 28, 2018 in AWS by bug_seeker
• 15,510 points
1,669 views

1 answer to this question.

0 votes

The recommended way of managing credentials used to sign API requests to other AWS services is using IAM roles. When an IAM role is attached to an instance, it retrieves a temporary credentials from the instance metadata. These credentials are valid for a limited period of time, however SDK manages them transparently. So, instead of creating and distributing your AWS credentials to instance, you can delegate permissions using IAM role.

When creating the IAM role, in addition to access policies, you have to attach a trust policy (e.g what service can assume this role) as well.

Assume role policy

An assume role policy (also called as a trust policy) is a policy that grants an access to AWS service to use (assume) that particular role. So, if you are using EC2 instance, a trust policy could look like:

{
    "Action": "sts:AssumeRole",
    "Effect": "Allow",
    "Principal": {
        "Service": "ec2.amazonaws.com"
        }

}

Access policy

The access policy on another hand, grants an access to IAM role to specific AWS resources. So, for example the policy for full access to S3 service would look like

{
    "Version": "2012-10-17",
    "Statement": [
       {
        "Effect": "Allow",
        "Action": ["s3:*"],
        "Resource": ["*"]
       }
    ]
}

Once you have a role created and attached to particular instance, you can use SDK without supplying any credential or region to it and use it in your code like

s3 = boto3.resource('s3')
bucket = s3.Bucket(os.environ.get('S3_BUCKET'))

answered Aug 28, 2018 by Priyaj
• 58,020 points

Related Questions In AWS

+1 vote
1 answer

How to make an application private on AWS Elastic Beanstalk?

Like you said by default, your application ...READ MORE

answered Oct 25, 2018 in AWS by Archana
• 5,640 points
2,299 views
0 votes
1 answer

How to create a security group in AWS with Boto3?

Hi@akhtar, You can create a new security group ...READ MORE

answered Oct 11, 2020 in AWS by MD
• 95,460 points
4,263 views
0 votes
1 answer

How to create an AWS EC2 Instance in the VPC with Boto3 module?

Hi@akhtar, You can use a network interface in ...READ MORE

answered Oct 11, 2020 in AWS by MD
• 95,460 points
2,502 views
0 votes
1 answer

How to copy a folder from S3 to Elastic Beanstalk instance on its creation?

I had encountered similar problem. But i ...READ MORE

answered Aug 24, 2018 in AWS by Archana
• 4,170 points
4,572 views
+15 votes
2 answers

Git management technique when there are multiple customers and need multiple customization?

Consider this - In 'extended' Git-Flow, (Git-Multi-Flow, ...READ MORE

answered Mar 27, 2018 in DevOps & Agile by DragonLord999
• 8,450 points
4,035 views
+2 votes
1 answer
0 votes
1 answer

How to allow the application to communicate back to the on premise equipment?

The connection would need to be either ...READ MORE

answered Aug 16, 2018 in AWS by Priyaj
• 58,020 points
880 views
+1 vote
1 answer
webinar REGISTER FOR FREE WEBINAR X
REGISTER NOW
webinar_success Thank you for registering Join Edureka Meetup community for 100+ Free Webinars each month JOIN MEETUP GROUP