We are using IAM roles to maintain the machines. We now planning to mount the s3 to our ec2 instances and do the processing as per our need. We been using s3fs tool for mounting.
But that doesn't seems to be working with the IAM roles. Are there any ways to make s3fs work with the IAM roles? Did anyone done with this?
Thanks in advance.
This worked for me iam_role=auto
Here is my /etc/fstab entry
s3fs#my_bucket /s3mount_path fuse _netdev,allow_other,iam_role=auto 0 0
Just make sure you IAM role has proper permissions
There seems to be an iam_role option in the man page:
iam_role (default is no role) - set the IAM Role that will supply the credentials from the instance meta-data.
A cursory overview of the source suggests that it will get the token and rotate as they expire...
also, see https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-roles-for-amazon-ec2.html#instance-metadata-security-credentials for details on getting these credentials, token, etc yourself
Maybe a little late to the party but since majority of the answers are very old; just wanted to share the command that works right now :-
So, to manually mount the s3 bucket using an IAM role you will need to fire the following command :-
$ sudo s3fs <bucket-name> /<folder-path>/<folder-name> -o iam_role="<Role-name>" -o url="https://s3-<region-name>.amazonaws.com" -o endpoint=<region-name> -o dbglevel=info -o curldbg
Now, for example if my bucket-name is "Test-Bucket" and the folder path is "/root/Test-Bucket" and my IAM Role name is "ec2_to_s3" and the region in which I have the s3 bucket is "Asia-Pacific Mumbai", then the above specified command will be used as :-
$ sudo s3fs Test-Bucket /root/Test-Bucket -o iam_role="ec2_to_s3" -o url="https://s3-ap-south-1.amazonaws.com" -o endpoint=ap-south-1 -o dbglevel=info -o curldbg
and the bucket will be mounted successfully.
Now, if you want the bucket to get mounted on system reboot by its own; you will need to add this string in "/etc/fstab".
<bucket-name> /<folder-path>/<folder-name> fuse.s3fs _netdev,allow_other,use_path_request_style,iam_role=auto 0 0
Now, as per the previous example, the string that needs to be added in "/etc/fstab" would be :-
Test-Bucket /root/Test-Bucket fuse.s3fs _netdev,allow_other,use_path_request_style,iam_role=auto 0 0
Hope this helps...
If you haven't found a solution then I have added iam-role support to s3fs-c at
https://github.com/franc-carter/s3fs-c.git
There are two branches that may be of interest there:-
iam-role: this has the iam role extension
memory-fix: this has the iam role extension and work to reduce the number of memory leaks
I've done basic, but not extensive testing. Importantly the iam-role branch does not have the memory fixes as I am trying to make it a clean diff for a pull-request
cheers
