Forge and Amazon AWS Deployment, Server Creation, and IAM Policies

F

We all love Laravel Forge.  It makes things so, so easy.  That being said, when using AWS as your host sometimes AWS permissions can be a bit funny.

Specifically, you need a unique IAM user for Forge so you can assign permission policies.  IAM is Amazon’s way of allowing different users different permissions.  Forge utilizes this by asking for your Access Key ID and Secret Access Key when setting up the initial AWS account link.

laravel-forge-aws-key-secret-setup

A side note: you should be using IAM users, if you aren’t, take a quick break and read why you should be instead of using your root user.  Because yes, your root user also has a key and secret, but don’t use those. 🙂

Alright, so to the point – when assigning IAM users to AWS for Laravel Forge you may be asking the question of which policy to provide the forge IAM user.  There are scary policy names like AdministratorAccess or other Admin-named policies.  But we don’t want to give Forge too many permissions.  We had been trying to crack this question for a while, so I reached out to Taylor:

With that being said, here is the way I’ve used his comments to apply policies – namely two policies, AmazonEC2FullAccess and AmazonVPCFullAccess:

iam-management-console-for-forge-user

It is worth noting this is only if you want Forge to provision servers for you.  There is still the custom VPS option to have Forge manage a pre-existing server or you could go down the path of making a specific IAM policy that specifies the ARNs of the instances, but then that takes the fun out of Forge – it is supposed to be easy, right?

I have not seen specific AWS policies that manage subnets and SSH keys specifically – so this should work given that it allows for EC2 access.  If it doesn’t – hit me up in the comments and we can get this updated.

Happy Forging!
Tanner Hearne Signature

 

 


Also published on Medium.

  • Nathan Barrett

    Thanks! This was the perfect answer to my question.

  • Alex Mansour

    Hello @Tanner,

    Thanks for this article. I have tried to create new AWS server following the steps above, but I’m getting the following error in Forge:

    ‘The server provider was unable to create your server. Either try contacting your server provider for more details or add a new server provider credential in your account profile.’

    I have even tried with the root user but it doesn’t work.

    Thoughts?

    Best,
    Alex

    • Hey Alex – that’s strange. Have you recently connected Forge to AWS or has it been a while since you connected your account? I know Forge re-did their AWS integration a while back.

      • Alex Mansour

        Thanks for your reply.

        Actually, I have tried with both cases and the result is the same.

        But could it be, because AWS has no Ubuntu 16.04 support yet and Forge require it?

      • Alex Mansour

        Never mind @tannerhearne:disqus I found that the issue related to the selected region and as new AWS account they activate only US East (Northern Virginia), US West (Oregon).

        • Oh awesome! Alex – so do you mean that your AWS account was restricted from provisioning in other regions or that your Forge account was restricted from provisioning in other regions?

          • Alex Mansour

            Yes the AWS as new account it’s allowed to launch only in the mentioned regions.

          • Ah ok – makes sense.

By Tanner