This article assumes you have some familiarity with the AWS ecosystem. AWS CLI on EC2: The Bad Way When using the on an EC2 instance for accessing AWS resources like your S3 buckets, you might encounter a permission error and prompted to run as shown here: AWS CLI aws configure You can follow their instructions and simply populate the and with your own credentials or from another IAM User’s credentials and that should work as it gives the instance proper permissions to your AWS resources: AWS Access Key Id AWS Secret Key Id However, that is misleading. For our local computers that’s how we configure the but for EC2 instances that is a bad way of configuring the cli and it is insecure. AWS CLI Why you should NOT put AWS credentials on an EC2 An AWS credential is a credential and they are and should only be on your computer. personal personal personal If the EC2 is ever compromised, so would your personal account. If the EC2 is shared, other people may perform AWS CLI actions while impersonating you as it can be easily viewed as shown here: When using the AWS CLI on an EC2, a better way is to use . IAM Roles Attaching an IAM Role to an EC2 instance 1. Create an IAM Role. Select type of trusted entity: . AWS service Choose as the use case: EC2 2. Attach the minimum permissions to the IAM Role. Attach as we only want read access to S3 in this example: AmazonS3ReadOnlyAccess 3. Add Tags to the IAM Role (Optional). 4. Finish creating the IAM Role. Give the IAM Role a name and click . Create Role 5. Attaching the IAM Role to an EC2 instance. Right Click on an EC2 instance and find the option -> . Security Modify IAM role Attach the IAM Role to the EC2 instance. : This change can take a couple of seconds or minutes to reflect on the EC2 instance. Note Testing the IAM Role on EC2 1. Running AWS CLI command now returns the expected response, showing a list of s3 buckets: 2. Check EC2 access on resources it does not have permissions to access: AWS CLI on EC2: The Right Way And so in this way we can see that the EC2 instance has now the minimum permissions we want without having to put in any AWS credentials.
