How to set up AWS credentials for Node.js app deployed to Elastic Beanstalk and talking to S3?

Question

My node.js app is deployed to Elastic Beanstalk and talks to S3 via aws-sdk.

Locally, all works fine because AWS credentials are taken from my local ~/.aws/credentials.

But, when deployed to Elastic Beanstalk I get an "Access Denied" error because my node app doesn't have the AWS credentials to talk to S3.

I read in the docs that:

If you have configured your instance to use IAM roles, the SDK will automatically select these credentials for use in your application, and you do not need to manually provide credentials in any other format.

But, I'm not sure how to configure the EC2 instance to use IAM roles.

I'm new to AWS, so terms like IAM roles, users, EC2 instances, security groups, etc. still do not make a perfect sense to me.

A thorough explanation will be highly regarded.

Answer 1

There are two ways to give an EC2 instance permissions to access other AWS resources. One as you know is using a credentials file, but roles are essentially credentials that are attached to the instance when it is created.

That's the important thing to remember there: You can only assign the role on instance creation. You cannot add a role to a running instance. You can however change an existing role to give it additional permissions.

You create a role in the IAM console and can attach a policy in the same way you would a user or a group.

So for example, you would set up a role that allows you Full Access to S3, and assign that to the instance when you create it. For any application that would then normally require AWS credentials, these will not be needed as the instance inherently has access to these services by virtue of its role.