User Data script to call aws cli

Question

When an EC2 instance starts, I want it to automaticallly download few files from an S3 bucket using scripts or commands.


/usr/bin/aws s3 cp ...

The log tells me that permission was denied and I believe it is due to aws cli not finding any credentials when executing the user data script.

Running the command with sudo after the instance has started works fine.

I have run aws configure both with sudo and without.

I do not want to use cronjob to run something on startup since I am working with an AMI and often need to change the script, therefore it is more convenient for me to change the user data instead of creating a new AMI everytime the script changes.

If possible, I would also like to avoid writing the credentials into the script.

How can I configure awscli in such a way that the credentials are used when running a user data script?

Answer 1

You actually don't need the credentials to do so, you will just have to create an IAM role which lets the EC2 instance access the S3 bucket.

Don't add credentials in the instance or your AMI, because if you provide the correct roles, they will take care of it.

Check the IAM Roles for Amazon EC2 documentation to learn more about roles.

Let me provide you the solution in pointers:

1. Remove the AWS credentails from the EC2 instance 
2. Then create the AMI of that instance
3. Open your IAM console, create a Role for EC2 which allows access to S3
4. Attach this IAM role to the EC2 instance while launching it using the AMI, if did not attach then it will not work
5. Now, add your script to the user data part before launching it and it should work
6. If it doesn't work, then check your script

Also, I think you can take a look at the AWS Lambda part of this AWS Tutorial and for more insights you can check the AWS training page :)