Copilot-cli: Instructions on using EFS / S3 are unclear

+1

Heya! We just released v0.2.0 which introduced a new command storage init that should make creating an S3 bucket easier! Can you give it a try and let us know if it helps solve your usecase?

For EFS, we have a task that's in the backlog https://github.com/aws/copilot-cli/issues/948 to enable overriding the task definition for efs volumes however we haven't started working on it yet.

Hi @izaacdb! This template is accessible through the newly released copilot storage init command. You can run the following:

$ copilot storage init --svc frontend --name user-data-bucket --storage-type S3

to create an S3 bucket named "user-data-bucket" associated with and accessible by the "frontend" service in this sample.

Under the hood, the storage init command populates the template you've linked and writes it to the copilot/<service>/addons folder. Then, when you run copilot svc deploy, we'll create the bucket for you and inject an environment variable containing the bucket's name into your service container so it's easy for your code to access.

EFS is a bit more involved and isn't supported yet, since as Efe said we'll need to enable task definition overrides in the manifest in order to allow your services to mount the right volumes before we can programmatically generate the CF for you with storage init.

Can I use a existing S3 bucket?

Heya @lusatiro,

You should be able to!

1. You can provide your bucket name as an environment variable in the manifest
2. You can add an an addon with the necessary permissions to access the bucket:

# under ./copilot/<svcName>/addons/s3-permissions.yml
Parameters:
  App:
    Type: String
    Description: Your application's name.
  Env:
    Type: String
    Description: The environment name your service, job, or workflow is being deployed to.
  Name:
    Type: String
    Description: The name of the service, job, or workflow being deployed.
Resources:
  MyAccessPolicy:
    Type: AWS::IAM::ManagedPolicy
    Properties:
      PolicyDocument:
        Version: 2012-10-17
        Statement:
          - Sid: S3ObjectActions
            Effect: Allow
            Action:
              - s3:GetObject
              - s3:PutObject
              - s3:PutObjectACL
              - s3:PutObjectTagging
              - s3:DeleteObject
              - s3:RestoreObject
            Resource: <YOUR_BUCKET_ARN>
          - Sid: S3ListAction
            Effect: Allow
            Action: s3:ListBucket
            Resource: <YOUR_BUCKET_ARN>
Outputs:
  MyAccessPolicyARN:
    Value: !Ref MyAccessPolicy

This will attach the MyAccessPolicy to your ECS Task Role to access the S3 bucket

How can I give all public access to GetObject?

Hi @renatogbp

How can I give all public access to GetObject?

I don't think I am following 😅 what is the scenario you'd like to achieve?

Hi @efekarakus,

I am using a S3 to store images which will be showed on my front end app. So I wondering if I should give read access to public (anyone), or only read access to my front end app?

The back end service will be responsible for uploading/deleting a image into S3

So I wondering if I should give read access to public (anyone), or only read access to my front end app?

Heya! If you want the images to be only available for a set period of time, then I'd recommend giving only permission to the frontend service to generate a presigned URL

If you don't need to do some sort validation before accessing images, then it should be safe to give read access to the public following the approach listed in this post: read-access-objects-s3-bucket. As long as you don't give a ListBucket permission to the public and limit the GetObject requests by a prefix then it should be okay!