DevOps · K8s · Volleyball · Travel  •  DevOps · K8s · Volleyball · Travel  •  DevOps · K8s · Volleyball · Travel
Explore NY Stream

Mount an S3 Bucket on EC2 with an IAM Role (s3fs)

— ny_wk

Mount an S3 Bucket on EC2 with an IAM Role (s3fs)

Sometimes you want an S3 bucket to behave like a regular folder on your EC2 instance — so apps and scripts can read and write files with plain cp, mv, and ls instead of the AWS SDK. That's exactly what s3fs does, and pairing it with an IAM role (instead of access keys) keeps it secure. Here's the clean way to set it up.

What s3fs actually is

s3fs is a FUSE filesystem that mounts an S3 bucket as a local directory. FUSE (Filesystem in Userspace) lets non-root users create filesystems without touching kernel code — s3fs runs in user space and bridges your Unix file operations to the S3 API. So once mounted, the bucket looks and feels like an attached disk.

Keep in mind: it's object storage behind the scenes, so it's great for file-style access but not for low-latency, high-IOPS workloads like databases.

Why use an IAM role, not keys?

Hardcoding AWS access keys on a server is a leak waiting to happen. An IAM role attached to the EC2 instance grants S3 access automatically through the instance metadata — no keys to store, rotate, or lose. It's the secure, AWS-recommended way.

Step 1 — Create and attach an IAM role

In IAM, create a role for EC2 with a policy allowing access to your bucket (e.g., s3:ListBucket, s3:GetObject, s3:PutObject, s3:DeleteObject on that bucket and its objects). Attach the role to your EC2 instance — existing instances can have a role attached without a restart.

Step 2 — Install s3fs

Install the package and its FUSE dependency (s3fs-fuse via your package manager, or build from source on older distros). Confirm with s3fs --version.

Step 3 — Mount the bucket

Create a mount point and mount it, telling s3fs to use the instance's IAM role:

mkdir -p /mnt/s3
s3fs your-bucket /mnt/s3 -o iam_role=auto -o allow_other

Now ls /mnt/s3 shows your objects, and you can cp/mv files to and from it like any folder.

Step 4 — Make it persist across reboots

Add an entry to /etc/fstab (using the s3fs fstab syntax with iam_role=auto) so the bucket re-mounts automatically on boot.

Key takeaways

  • s3fs (a FUSE filesystem) mounts an S3 bucket as a local directory for normal file commands.
  • Use an IAM role on the instance (iam_role=auto) — never hardcoded keys.
  • Grant the bucket's S3 permissions in the role's policy.
  • Add it to /etc/fstab to persist across reboots; avoid it for high-IOPS/database workloads.

Frequently asked questions

Is s3fs good for databases?

No — it's object storage with higher latency. Great for file sharing, backups, and media; bad for databases or heavy random I/O.

Why an IAM role over access keys?

Roles supply temporary, auto-rotated credentials via instance metadata — nothing sensitive stored on disk.

What does allow_other do?

Lets users other than the one who mounted it access the filesystem (often needed for web/app servers). It requires the matching FUSE setting enabled.

Will the mount survive a reboot?

Only if you add it to /etc/fstab — otherwise re-run the mount command after boot.

One FUSE mount plus an IAM role, and your S3 bucket becomes just another folder on the box — secure, and usable with the Unix commands you already know.