1. Answers
  2. Grant Access to S3 Bucket for Containers Using Environment Variables

How do I give a container access to an S3 bucket using environment variables?

In this example, we will grant a container access to an S3 bucket by using environment variables to pass AWS credentials. We will create an IAM policy to allow access to the S3 bucket, attach the policy to an IAM role, and then pass the required environment variables to the container.

What we will do:

  1. Create an S3 bucket.
  2. Create an IAM policy that grants read access to the S3 bucket.
  3. Create an IAM role and attach the policy to this role.
  4. Define environment variables for the container with the IAM role’s credentials.
  5. Launch a container that has access to the S3 bucket using these environment variables.

Here is the code to achieve this:

import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";

const myBucket = new aws.s3.BucketV2("my_bucket", {bucket: "my-awesome-bucket"});
const s3AccessPolicy = new aws.iam.Policy("s3_access_policy", {
    name: "S3AccessPolicy",
    description: "IAM policy to allow read access to an S3 bucket",
    policy: pulumi.jsonStringify({
        Version: "2012-10-17",
        Statement: [{
            Action: ["s3:GetObject"],
            Effect: "Allow",
            Resource: [pulumi.interpolate`${myBucket.arn}/*`],
        }],
    }),
});
const ecsTaskExecutionRole = new aws.iam.Role("ecs_task_execution_role", {
    name: "ecsTaskExecutionRole",
    assumeRolePolicy: JSON.stringify({
        Version: "2012-10-17",
        Statement: [{
            Action: "sts:AssumeRole",
            Effect: "Allow",
            Principal: {
                Service: "ecs-tasks.amazonaws.com",
            },
        }],
    }),
});
const attachPolicy = new aws.iam.RolePolicyAttachment("attach_policy", {
    role: ecsTaskExecutionRole.name,
    policyArn: s3AccessPolicy.arn,
});
const task = new aws.ecs.TaskDefinition("task", {
    family: "task",
    networkMode: "awsvpc",
    requiresCompatibilities: ["FARGATE"],
    cpu: "256",
    memory: "512",
    executionRoleArn: ecsTaskExecutionRole.arn,
    containerDefinitions: pulumi.jsonStringify([{
        name: "my-container",
        image: "amazon/amazon-ecs-sample",
        environment: [
            {
                name: "AWS_ACCESS_KEY_ID",
                value: "your-access-key-id",
            },
            {
                name: "AWS_SECRET_ACCESS_KEY",
                value: "your-secret-access-key",
            },
            {
                name: "AWS_REGION",
                value: "us-west-2",
            },
            {
                name: "S3_BUCKET",
                value: myBucket.bucket,
            },
        ],
    }]),
});
export const bucketName = myBucket.bucket;
export const bucketArn = myBucket.arn;

Key Points:

  • S3 Bucket: Creates an S3 bucket to store objects.
  • IAM Policy: Defines permissions to allow read access to the S3 bucket.
  • IAM Role: Grants Fargate tasks the ability to assume a role with the necessary permissions.
  • ECS Task Definition: Configures the container to use environment variables for AWS credentials and bucket name.

Summary

We created an S3 bucket, an IAM policy granting access to the bucket, and an IAM role attached to that policy. The role’s credentials are passed to the container as environment variables, enabling the container to access the S3 bucket.

Deploy this code

Want to deploy this code? Sign up for a free Pulumi account to deploy in a few clicks.

Sign up

New to Pulumi?

Want to deploy this code? Sign up with Pulumi to deploy in a few clicks.

Sign up