Skip to content
S3 Files Workloads

IAM

Progress checklist

Overview

Section titled “Overview”

S3FILES
Amazon S3 Files — a service that exposes an S3 bucket as a shared NFS file system. Supports EC2, EKS, ECS (Fargate), and Lambda. Uses the CLI namespace `aws s3files` and mount type `-t s3files`. Read APIs are `list-*` and `get-*` (for example `list-file-systems`, `get-file-system`), not `describe-*`. requires exactly two IAM
Identity and Access Management — the AWS service that controls permissions for all resources. S3 Files requires two IAM roles: one for the file system and one for the compute resource. roles:

RoleWho assumes itPurpose
File system roleelasticfilesystem.amazonaws.comS3 Files reads/writes the bucket and manages EventBridge sync rules
Compute roleEC2 instance profileEC2 mounts the file system and reads objects directly from S3

The file system role was created in File System. This page creates the EC2 compute role.

  1. Confirm base exports. Required

    Re-run these in your current shell so all required variables are set:

    Terminal window
    export AWS_REGION=ap-southeast-6
    export ACCOUNT_ID=$(aws sts get-caller-identity --query Account --output text)
    export BUCKET=my-s3-files-bucket        # ← replace with your real bucket name
    export BUCKET_ARN=arn:aws:s3:::${BUCKET}
    echo "Region: $AWS_REGION  Account: $ACCOUNT_ID  Bucket ARN: $BUCKET_ARN"

  2. Create the EC2 compute role. Required

    Role name s3files-compute-role-ec2, instance profile s3files-ec2-instance-profile.

    compute-trust-ec2.json
    cat > /tmp/compute-trust-ec2.json <<EOF
    {
      "Version": "2012-10-17",
      "Statement": [{
        "Effect": "Allow",
        "Principal": { "Service": "ec2.amazonaws.com" },
        "Action": "sts:AssumeRole"
      }]
    }
    EOF
    aws iam create-role \
      --role-name s3files-compute-role-ec2 \
      --assume-role-policy-document file:///tmp/compute-trust-ec2.json

  3. Attach managed policies. Required

    Attach AmazonS3FilesClientFullAccess to allow mounting the file system:

    Terminal window
    aws iam attach-role-policy \
      --role-name s3files-compute-role-ec2 \
      --policy-arn arn:aws:iam::aws:policy/AmazonS3FilesClientFullAccess

    Attach AmazonSSMManagedInstanceCore so the instance can register with Systems Manager — required for the EC2 launch walkthrough (Session Manager shell, no SSH):

    Terminal window
    aws iam attach-role-policy \
      --role-name s3files-compute-role-ec2 \
      --policy-arn arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore

  4. Attach an inline S3 read policy. Required

    compute-s3-read-ec2.json
    cat > /tmp/compute-s3-read-ec2.json <<EOF
    {
      "Version": "2012-10-17",
      "Statement": [
        {
          "Sid": "S3ObjectReadAccess",
          "Effect": "Allow",
          "Action": ["s3:GetObject", "s3:GetObjectVersion"],
          "Resource": "${BUCKET_ARN}/*"
        },
        {
          "Sid": "S3BucketListAccess",
          "Effect": "Allow",
          "Action": "s3:ListBucket",
          "Resource": "${BUCKET_ARN}"
        }
      ]
    }
    EOF
    aws iam put-role-policy \
      --role-name s3files-compute-role-ec2 \
      --policy-name S3FilesComputeS3ReadPolicy \
      --policy-document file:///tmp/compute-s3-read-ec2.json

  5. Create the instance profile and add the role. Required

    Terminal window
    aws iam create-instance-profile --instance-profile-name s3files-ec2-instance-profile
    aws iam add-role-to-instance-profile \
      --instance-profile-name s3files-ec2-instance-profile \
      --role-name s3files-compute-role-ec2

Next step

Section titled “Next step”

Continue to Security Groups to open port 2049 between the EC2 instance and mount targets.