How to give S3 Permissions to buildkite agents using ElasticCI?

Hello all, I’m new to buildkite, trying to figure out things. we recently deployed agents through buildkite and added ssh keys. it was tricky but managed to figure out. Now i’m trying to run some aws s3 cli commands and i’m unable to give the permissions to the instances. When i try to run aws s3 ls in the pipeline.yml file

An error occurred (AccessDenied) when calling the ListBuckets operation: Access Denied

Can someone please help me with this. Thank you

Hey @oh-tarnished!

Welcome to the community :wave:

The reason you are seeing this error is because the Buildkite Agent doesn’t have the correct IAM role/policy to access objects within the S3 bucket you’re trying to run the commands in. This is fixable by creating an IAM Policy with the necessary actions (e.g., s3:GetObject, s3:ListBucket) and then specify the Amazon Resource Name of the S3 bucket or specific objects you are trying to run these commands for.

Then, you’ll want to create an IAM role and attach the IAM policy you created above to the role. This role then becomes the permissions boundary for the Buildkite Agent. You’ll also need to make sure to associate the IAM role with the EC2 instance during it’s launch, or update the role associated with an existing instance.

Afterwards, you can test access like you were before by listing objects in the bucket or trying to access specific objects.

Here’s some helpful links on what I’ve talked about above!

Creating IAM Policies/Roles (via the AWS Console): Creating roles and attaching policies (console) - AWS Identity and Access Management
Stackoverflow thread with some detail (outside of the Buildkite context): amazon web services - AccessDenied for ListObjects for S3 bucket when permissions are s3:* - Stack Overflow

Thank you @jared,

i have given the permissions accordingly. we have a script which looks for .aws/credentials file and populates the data accordingly but i realised that the ec2 instances doesn’t have the credentials file. How do i load to get that file ?

No problem @oh-tarnished,

So the recommended approach here is to use an IAM Role/Policy instead of a credentials file as I mentioned previously as that would solve the issue of your EC2 instance not using the correct role/policy, and is more secure and managable.

There’s an alternative however which you could try (this may not work depending on your Elastic Stack setup), and if you really want to stay with a credentials file you could try SSH’ing into the EC2 instance and set an environment variable under ~/.bashrc (dependant on your image) that loads the credentials file via a specific path:

export AWS_SHARED_CREDENTIALS_FILE=/path/to/your/credentials/file

Afterwards you’d have to restart your shell or source the file to apply the changes.

I only provide you this alternative as a reference point, I strongly recommend moving over to IAM roles/policies as they are generally more secure and a better manageable approach then trying to manually handle and update credentials via a file on the EC2 instance.

By doing so, you ensure your Buildkite Agents running on EC2 instances always have the appropriate AWS permissions without need for manual credential management, making this a more secure and scalable path for the future.