S3 mapping with IAM Role

I have a number of S3 mappings which had the accesskeyid and awssecretkey embedded in the mapping definition URL. But the EC2 instance which hosts my application has an IAM role which permits the server to access the S3 buckets without specifying credentials.

Does Lucee support this or does an S3 connection always require an accesskeyid and awssecretkey to be present either in the URL, application, or environmental variables?

Hey Juan,

My inclination would be to say ‘no’ that configuration is not supported. Under the hood Lucee (and ACF) use a java implementation of the AWS API for S3 services, so are likely to require the accessKeyId and awsSecretKey be specified. That said, you can try it without specifying this data and see if it works, but I doubt it will.


– Denny

I don’t think it does, but I usually use the AWS Java SDK’s instead of the builtin CF stuff. Ideally Lucee should use the standard AWS Credential Search order, checks Environment Variables, etc: https://docs.aws.amazon.com/sdk-for-java/v1/developer-guide/credentials.html because the way it works now leads people to hard code the keys.

When you use an assumed role, you still have an accessKey and secretKey it is just that most AWS tools know where to look for them automatically. They are accessible from the instance metadata URL which can be hit by a cfhttp from inside your instance and used to populate the variables. Eg: docs: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-metadata.html

Pete Freitag
Foundeo Inc.

1 Like

There are plenty of ways to mount an s3 bucket using the os, which for performance reasons alone you should use.

Once you have mounted that, you can use Coldfusion to do what ever manipulation to the file system as required.