1

I have a small NodeJS app on ElasticBeanstalk and this communicate with S3 and DynamoDB. Currently I set the access and secret key as environment variable and use them to update the aws.config object. Is this the best practise? It is possible to generate or use credentials based on the service role, so I not need anymore to set credentials into environment variables? So for what I have the service role when I must use credentials from an user to access any service like DynamoDB or S3.

user1791139
  • 606
  • 1
  • 11
  • 27
  • If you want security, you will have to use crypto somehow, but environment variables are used pretty commonly. I think things like https://learn.chef.io/ are used to avoid all of the manual components of setting up a box. – Catalyst Aug 22 '15 at 18:50

1 Answers1

3

Instance profile credentials are better than using using environment variables because instance profile credentials are automatically rotated every few hours. Since you used the term service role in your question, let me clarify the difference between service role and instance profile.

Instance profile role is not the same as "service role". Service role is a role that gives beanstalk service permissions to call other services on your behalf.

Instance profile credentials are linked to your EC2 instance and only your EC2 instance gets those.

Copying more details from my previous answer on the topic here:

When creating an environment you can choose to pass an IamInstanceProfile (typically named aws-elasticbeanstalk-ec2-role) and a service role (typically named aws-elasticbeantalk-service-role). These two roles are required when using Enhanced Application Health Monitoring. Please note that these two roles require a completely a different set of permissions and you should use different roles for each of them. You can find the list of permissions required for Service Role and Instance profile documented here.

When creating/cloning/modifying environments using AWS console you will be shown an option to choose a service role. If you have never used a Service role before, you will be presented with an option to "Create a new role". The console allows you to create the Service role required by beanstalk using a single button click. You can view the permissions before creating the role.

After the first create, the console will present you with a dropdown with the role you created previously (typically named aws-elasticbeanstalk-service-role) and you can reuse this service role.

From the documentation: "A service role is the IAM role that Elastic Beanstalk assumes when calling other services on your behalf. Elastic Beanstalk uses the service role that you specify when creating an Elastic Beanstalk environment when it calls Amazon Elastic Compute Cloud (Amazon EC2), Elastic Load Balancing, and Auto Scaling APIs to gather information about the health of its AWS resources."

When creating/using a role you need to make sure the IAM user has pass role permission for the role you created. In case you are not using the root account make sure you have the correct policies for the IAM user. Note the iam:PassRole permission allows your IAM user to pass the role to beanstalk service.

Read about service roles and instance profile here.

Community
  • 1
  • 1
Rohit Banga
  • 18,458
  • 31
  • 113
  • 191
  • So I should only attached the S3 Access in aws-elasticbeanstalk-ec2-role and can then communicate with S3 without set credentials? by var s3 = new aws.S3(); – user1791139 Aug 23 '15 at 11:05
  • Yes... See the permissions here http://docs.aws.amazon.com/elasticbeanstalk/latest/dg/concepts-roles.html#concepts-roles-instance you may need more of you use worker tier or ECS. In your case it seems you need s3 and dynamodb – Rohit Banga Aug 23 '15 at 15:40