Reputation: 646
Use EC2 credentials on ElasticBeanstalk with NodeJS
I have a small NodeJS app on ElasticBeanstalk and this communicate with S3 and DynamoDB. Currently I set the access and secret key as environment variable and use them to update the aws.config object. Is this the best practise? It is possible to generate or use credentials based on the service role, so I not need anymore to set credentials into environment variables? So for what I have the service role when I must use credentials from an user to access any service like DynamoDB or S3.
Upvotes: 1
Views: 650
Answers (1)
Reputation: 18918
Instance profile credentials are better than using using environment variables because instance profile credentials are automatically rotated every few hours. Since you used the term service role in your question, let me clarify the difference between service role and instance profile.
Instance profile role is not the same as "service role". Service role is a role that gives beanstalk service permissions to call other services on your behalf.
Instance profile credentials are linked to your EC2 instance and only your EC2 instance gets those.
Copying more details from my previous answer on the topic here:
When creating an environment you can choose to pass an IamInstanceProfile (typically named aws-elasticbeanstalk-ec2-role) and a service role (typically named aws-elasticbeantalk-service-role). These two roles are required when using Enhanced Application Health Monitoring.
Please note that these two roles require a completely a different set of permissions and you should use different roles for each of them. You can find the list of permissions required for Service Role and Instance profile documented here.
When creating/cloning/modifying environments using AWS console you will be shown an option to choose a service role. If you have never used a Service role before, you will be presented with an option to "Create a new role". The console allows you to create the Service role required by beanstalk using a single button click. You can view the permissions before creating the role.
After the first create, the console will present you with a dropdown with the role you created previously (typically named aws-elasticbeanstalk-service-role) and you can reuse this service role.
From the documentation: "A service role is the IAM role that Elastic Beanstalk assumes when calling other services on your behalf. Elastic Beanstalk uses the service role that you specify when creating an Elastic Beanstalk environment when it calls Amazon Elastic Compute Cloud (Amazon EC2), Elastic Load Balancing, and Auto Scaling APIs to gather information about the health of its AWS resources."
When creating/using a role you need to make sure the IAM user has pass role permission for the role you created. In case you are not using the root account make sure you have the correct policies for the IAM user. Note the iam:PassRole permission allows your IAM user to pass the role to beanstalk service.
Read about service roles and instance profile here.
Upvotes: 3
Related Questions
- Default username for ec2 instance spawned by elastic beanstalk
- How to set aws-sdk credentials using Elastic Beanstalk?
- AWS - Configuring access to EC2 instance from Beanstalk App
- AWS S3 Credentials for Elastic Beanstalk app
- AWS Beanstalk and SES authentication
- AWS ElasticBeanstalk NodeJS
- Allow Elasticbeanstalk application to access EC-2 instance without using a VPC
- Password protect AWS Node EB application
- How to set up AWS credentials for Node.js app deployed to Elastic Beanstalk and talking to S3?
- Amazon AWS Elastic Beanstalk - connect to mongodb