Connect AWS Account
AWS connects via IAM Access Keys. You'll create a dedicated IAM user with the permissions OEC.sh needs.
Never use your root account credentials. Create a dedicated IAM user.
Create IAM User and Access Keys
- Go to the AWS IAM Console (opens in a new tab) > Users > Create user
- Name it something like
oecsh-integration - On the permissions step, choose one of two approaches:
Option A: Managed Policies (Quick)
Attach these AWS managed policies:
| Policy | Purpose |
|---|---|
AmazonEC2FullAccess | Create and manage EC2 instances |
AmazonS3FullAccess | Create and manage S3 buckets |
AmazonRoute53FullAccess | Manage DNS records |
Option B: Custom Policy (Least Privilege)
Create a custom policy with this JSON:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "EC2Management",
"Effect": "Allow",
"Action": [
"ec2:DescribeInstances",
"ec2:DescribeInstanceStatus",
"ec2:DescribeImages",
"ec2:DescribeKeyPairs",
"ec2:DescribeSecurityGroups",
"ec2:DescribeSubnets",
"ec2:DescribeVpcs",
"ec2:DescribeRegions",
"ec2:DescribeAvailabilityZones",
"ec2:RunInstances",
"ec2:TerminateInstances",
"ec2:StartInstances",
"ec2:StopInstances",
"ec2:CreateKeyPair",
"ec2:DeleteKeyPair",
"ec2:ImportKeyPair",
"ec2:CreateSecurityGroup",
"ec2:AuthorizeSecurityGroupIngress",
"ec2:AuthorizeSecurityGroupEgress",
"ec2:CreateTags"
],
"Resource": "*"
},
{
"Sid": "S3Management",
"Effect": "Allow",
"Action": [
"s3:ListAllMyBuckets",
"s3:GetBucketLocation",
"s3:CreateBucket",
"s3:DeleteBucket",
"s3:ListBucket",
"s3:GetObject",
"s3:PutObject",
"s3:DeleteObject",
"s3:GetBucketPolicy",
"s3:PutBucketPolicy"
],
"Resource": "*"
},
{
"Sid": "Route53Management",
"Effect": "Allow",
"Action": [
"route53:ListHostedZones",
"route53:GetHostedZone",
"route53:ListResourceRecordSets",
"route53:ChangeResourceRecordSets",
"route53:GetChange"
],
"Resource": "*"
}
]
}Name the policy OECshIntegrationPolicy and attach it to your user.
Generate Access Keys
- Click the user > Security credentials > Create access key
- Select Third-party service, confirm, and create
- Copy both values immediately -- the Secret Access Key is only shown once
| Credential | Example |
|---|---|
| Access Key ID | AKIAIOSFODNN7EXAMPLE |
| Secret Access Key | wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY |
Add to OEC.sh
Go to Settings > Cloud Accounts > Add Account > Amazon Web Services.
Enter your Access Key ID, Secret Access Key, and optionally a default region (e.g., us-east-1). Click Add Account.
The account should show Active with Compute, Storage, and DNS badges.
Common Regions
| Code | Location |
|---|---|
us-east-1 | N. Virginia |
us-west-2 | Oregon |
eu-west-1 | Ireland |
eu-central-1 | Frankfurt |
ap-southeast-1 | Singapore |
ap-northeast-1 | Tokyo |
Using Your AWS Account
Servers -- Go to Servers > Add Server > Provision from Cloud. Pick your region, instance type (e.g., t3.medium), and go.
Backups -- Go to Settings > Storage > Quick Setup. Select an S3 bucket or create one.
DNS -- Go to Settings > DNS Providers > Quick Setup. Select a Route53 hosted zone.
Troubleshooting
"Invalid credentials" -- Double-check you copied the full Secret Access Key. Confirm the key is still active in IAM console.
"Access Denied" -- The IAM user is missing permissions. Use the AWS Policy Simulator (opens in a new tab) to test. Attach missing policies.
EC2 launch fails -- Check service quotas, make sure the region has a default VPC (or specify a subnet), and verify the Ubuntu AMI exists in your region.
S3 access denied -- Check bucket permissions. Make sure the bucket isn't in a different AWS account.
Route53 zone not found -- Verify the hosted zone exists and the domain's nameservers point to Route53.
Cost Notes
| Resource | Billing |
|---|---|
| EC2 Instances | Per-hour based on instance type |
| S3 Storage | Per GB stored + data transfer |
| Route53 | Per hosted zone + per million queries |
Consider Reserved Instances for production, and set up S3 lifecycle policies to clean up old backups.