Forge and Amazon AWS Deployment, Server Creation, and IAM Policies

F

We all love Laravel Forge.  It makes things so, so easy.  That being said, when using AWS as your host sometimes AWS permissions can be a bit funny.

Specifically, you need a unique IAM user for Forge so you can assign permission policies.  IAM is Amazon’s way of allowing different users different permissions.  Forge utilizes this by asking for your Access Key ID and Secret Access Key when setting up the initial AWS account link.

laravel-forge-aws-key-secret-setup

A side note: you should be using IAM users, if you aren’t, take a quick break and read why you should be instead of using your root user.  Because yes, your root user also has a key and secret, but don’t use those. 🙂

Alright, so to the point – when assigning IAM users to AWS for Laravel Forge you may be asking the question of which policy to provide the forge IAM user.  There are scary policy names like AdministratorAccess or other Admin-named policies.  But we don’t want to give Forge too many permissions.  We had been trying to crack this question for a while, so I reached out to Taylor:

With that being said, here is the way I’ve used his comments to apply policies – namely two policies, AmazonEC2FullAccess and AmazonVPCFullAccess:

iam-management-console-for-forge-user

It is worth noting this is only if you want Forge to provision servers for you.  There is still the custom VPS option to have Forge manage a pre-existing server or you could go down the path of making a specific IAM policy that specifies the ARNs of the instances, but then that takes the fun out of Forge – it is supposed to be easy, right?

I have not seen specific AWS policies that manage subnets and SSH keys specifically – so this should work given that it allows for EC2 access.  If it doesn’t – hit me up in the comments and we can get this updated.

Happy Forging!
Tanner Hearne Signature

 

 


Also published on Medium.

  • Nathan Barrett

    Thanks! This was the perfect answer to my question.

  • Alex Mansour

    Hello @Tanner,

    Thanks for this article. I have tried to create new AWS server following the steps above, but I’m getting the following error in Forge:

    ‘The server provider was unable to create your server. Either try contacting your server provider for more details or add a new server provider credential in your account profile.’

    I have even tried with the root user but it doesn’t work.

    Thoughts?

    Best,
    Alex

    • Hey Alex – that’s strange. Have you recently connected Forge to AWS or has it been a while since you connected your account? I know Forge re-did their AWS integration a while back.

      • Alex Mansour

        Thanks for your reply.

        Actually, I have tried with both cases and the result is the same.

        But could it be, because AWS has no Ubuntu 16.04 support yet and Forge require it?

      • Alex Mansour

        Never mind @tannerhearne:disqus I found that the issue related to the selected region and as new AWS account they activate only US East (Northern Virginia), US West (Oregon).

        • Oh awesome! Alex – so do you mean that your AWS account was restricted from provisioning in other regions or that your Forge account was restricted from provisioning in other regions?

          • Alex Mansour

            Yes the AWS as new account it’s allowed to launch only in the mentioned regions.

          • Ah ok – makes sense.

  • I had an issue with my AWS keys. I generated an IAM user and got the key + secret and enabled the policies you recommended. However for some reason I got back an error that my AWS credentials were invalid. I ended up putting in my DigitalOcean username in order to add Service Provider. Thank you for the post!

    • Hi Connor,

      Did you ever figure out what was going on?

      Tanner

      • Not yet. I am deployed now with Digital Ocean. My next issue is that the images are displaying as 404 but works locally. I think it has something to do with the symlinking but not sure, kind of confused

      • I didn’t. It was really easy using digital ocean though! Haven’t really seen other people with the same issue yet but can keep an eye out and at least reported lol

    • Andrew White

      I have the same problem. Can’t seem to find an answer online. I’ve been using DO (super easy) but would like to swap to AWS.

      • Make sure you selected a service plan and that aws has your credit card stored for your account. Those issues fixed it for me!

        https://twitter.com/connor11528/status/885536227092422656

        • Andrew White

          Thanks! It turns out I had everything configured correctly…I just needed to wait a couple of hours for AWS to ‘create’ the account. I realized that might be the issue when discovered I couldn’t create an EC2 instance on my own. After waiting a couple of hours, I got the email that said the account was ready and then Forge had no issue.

By Tanner