We all love Laravel Forge. It makes things so, so easy. That being said, when using AWS as your host sometimes AWS permissions can be a bit funny.
Specifically, you need a unique IAM user for Forge so you can assign permission policies. IAM is Amazon’s way of allowing different users different permissions. Forge utilizes this by asking for your Access Key ID and Secret Access Key when setting up the initial AWS account link.
A side note: you should be using IAM users, if you aren’t, take a quick break and read why you should be instead of using your root user. Because yes, your root user also has a key and secret, but don’t use those. 🙂
Alright, so to the point – when assigning IAM users to AWS for Laravel Forge you may be asking the question of which policy to provide the forge IAM user. There are scary policy names like AdministratorAccess or other Admin-named policies. But we don’t want to give Forge too many permissions. We had been trying to crack this question for a while, so I reached out to Taylor:
@tannerhearne @laravelphp needs to create EC2 instances, subnets, VPCs, and add SSH keys
— Taylor Otwell (@taylorotwell) March 4, 2016
With that being said, here is the way I’ve used his comments to apply policies – namely two policies, AmazonEC2FullAccess and AmazonVPCFullAccess:
It is worth noting this is only if you want Forge to provision servers for you. There is still the custom VPS option to have Forge manage a pre-existing server or you could go down the path of making a specific IAM policy that specifies the ARNs of the instances, but then that takes the fun out of Forge – it is supposed to be easy, right?
I have not seen specific AWS policies that manage subnets and SSH keys specifically – so this should work given that it allows for EC2 access. If it doesn’t – hit me up in the comments and we can get this updated.
Happy Forging!
Comments
16 responses to “Forge and Amazon AWS Deployment, Server Creation, and IAM Policies”
Thanks! This was the perfect answer to my question.
Hello @Tanner,
Thanks for this article. I have tried to create new AWS server following the steps above, but I’m getting the following error in Forge:
‘The server provider was unable to create your server. Either try contacting your server provider for more details or add a new server provider credential in your account profile.’
I have even tried with the root user but it doesn’t work.
Thoughts?
Best,
Alex
Hey Alex – that’s strange. Have you recently connected Forge to AWS or has it been a while since you connected your account? I know Forge re-did their AWS integration a while back.
Thanks for your reply.
Actually, I have tried with both cases and the result is the same.
But could it be, because AWS has no Ubuntu 16.04 support yet and Forge require it?
Hi Alex,
Came across this and having a similar issue. I get the same credentials error above when creating in any region that isn’t one of the US ones. Not sure how to fix this? Is there something I need to change? I checked and all regions are active and the account fully activated.
Thanks 😊
Never mind @tannerhearne:disqus I found that the issue related to the selected region and as new AWS account they activate only US East (Northern Virginia), US West (Oregon).
Oh awesome! Alex – so do you mean that your AWS account was restricted from provisioning in other regions or that your Forge account was restricted from provisioning in other regions?
Yes the AWS as new account it’s allowed to launch only in the mentioned regions.
Ah ok – makes sense.
I had an issue with my AWS keys. I generated an IAM user and got the key + secret and enabled the policies you recommended. However for some reason I got back an error that my AWS credentials were invalid. I ended up putting in my DigitalOcean username in order to add Service Provider. Thank you for the post!
Hi Connor,
Did you ever figure out what was going on?
Tanner
Not yet. I am deployed now with Digital Ocean. My next issue is that the images are displaying as 404 but works locally. I think it has something to do with the symlinking but not sure, kind of confused
I didn’t. It was really easy using digital ocean though! Haven’t really seen other people with the same issue yet but can keep an eye out and at least reported lol
I have the same problem. Can’t seem to find an answer online. I’ve been using DO (super easy) but would like to swap to AWS.
Make sure you selected a service plan and that aws has your credit card stored for your account. Those issues fixed it for me!
https://twitter.com/connor11528/status/885536227092422656
Thanks! It turns out I had everything configured correctly…I just needed to wait a couple of hours for AWS to ‘create’ the account. I realized that might be the issue when discovered I couldn’t create an EC2 instance on my own. After waiting a couple of hours, I got the email that said the account was ready and then Forge had no issue.