Forge and Amazon AWS Deployment, Server Creation, and IAM Policies
We all love Laravel Forge. It makes things so, so easy. That being said, when using AWS as your host sometimes AWS permissions can be a bit funny.
Specifically, you need a unique IAM user for Forge so you can assign permission policies. IAM is Amazon’s way of allowing different users different permissions. Forge utilizes this by asking for your Access Key ID and Secret Access Key when setting up the initial AWS account link.
A side note: you should be using IAM users, if you aren’t, take a quick break and read why you should be instead of using your root user. Because yes, your root user also has a key and secret, but don’t use those. :)
Alright, so to the point — when assigning IAM users to AWS for Laravel Forge you may be asking the question of which policy to provide the forge IAM user. There are scary policy names like AdministratorAccess or other Admin-named policies. But we don’t want to give Forge too many permissions. We had been trying to crack this question for a while, so I reached out to Taylor:
With that being said, here is the way I’ve used his comments to apply policies — namely two policies, AmazonEC2FullAccess and AmazonVPCFullAccess:
It is worth noting this is only if you want Forge to provision servers for you. There is still the custom VPS option to have Forge manage a pre-existing server or you could go down the path of making a specific IAM policy that specifies the ARNs of the instances, but then that takes the fun out of Forge — it is supposed to be easy, right?
I have not seen specific AWS policies that manage subnets and SSH keys specifically — so this should work given that it allows for EC2 access. If it doesn’t — hit me up in the comments and we can get this updated.
Originally published at Tanner Hearne.