Connect AWS Account
Connect your Amazon Web Services account to OEC.sh for enterprise-grade infrastructure management.
What You'll Get
After connecting your AWS account, OEC.sh can:
| Capability | What It Enables |
|---|---|
| Compute | Auto-provision EC2 instances for Odoo hosting |
| Storage | Use S3 buckets for automated backups |
| DNS | Manage Route53 hosted zones for your domains |
Prerequisites
Before you begin, ensure you have:
- Active AWS account (Sign up here (opens in a new tab))
- IAM permissions to create users and access keys
- Understanding of AWS IAM (Identity and Access Management)
Connection Method
AWS uses IAM Access Keys for authentication. You'll create a dedicated IAM user with specific permissions for OEC.sh.
Security Best Practice: Never use your root account credentials. Always create a dedicated IAM user with minimal required permissions.
Step-by-Step Connection
Step 1: Create IAM User
- Sign in to the AWS IAM Console (opens in a new tab)
- In the left sidebar, click Users
- Click Create user (top right)
- Enter user details:
- User name:
oecsh-integration - Click Next
- User name:
Step 2: Set Permissions
Choose one of two approaches:
Option A: Attach Managed Policies (Simpler)
For full capabilities, attach these AWS managed policies:
- Click Attach policies directly
- Search and select these policies:
| Policy Name | Purpose |
|---|---|
AmazonEC2FullAccess | Create and manage EC2 instances |
AmazonS3FullAccess | Create and manage S3 buckets |
AmazonRoute53FullAccess | Manage DNS records |
- Click Next, then Create user
Option B: Custom Policy (More Secure)
For minimal permissions, create a custom policy:
- Click Attach policies directly
- Click Create policy
- Switch to JSON tab
- Paste this policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "EC2Management",
"Effect": "Allow",
"Action": [
"ec2:DescribeInstances",
"ec2:DescribeInstanceStatus",
"ec2:DescribeImages",
"ec2:DescribeKeyPairs",
"ec2:DescribeSecurityGroups",
"ec2:DescribeSubnets",
"ec2:DescribeVpcs",
"ec2:DescribeRegions",
"ec2:DescribeAvailabilityZones",
"ec2:RunInstances",
"ec2:TerminateInstances",
"ec2:StartInstances",
"ec2:StopInstances",
"ec2:CreateKeyPair",
"ec2:DeleteKeyPair",
"ec2:ImportKeyPair",
"ec2:CreateSecurityGroup",
"ec2:AuthorizeSecurityGroupIngress",
"ec2:AuthorizeSecurityGroupEgress",
"ec2:CreateTags"
],
"Resource": "*"
},
{
"Sid": "S3Management",
"Effect": "Allow",
"Action": [
"s3:ListAllMyBuckets",
"s3:GetBucketLocation",
"s3:CreateBucket",
"s3:DeleteBucket",
"s3:ListBucket",
"s3:GetObject",
"s3:PutObject",
"s3:DeleteObject",
"s3:GetBucketPolicy",
"s3:PutBucketPolicy"
],
"Resource": "*"
},
{
"Sid": "Route53Management",
"Effect": "Allow",
"Action": [
"route53:ListHostedZones",
"route53:GetHostedZone",
"route53:ListResourceRecordSets",
"route53:ChangeResourceRecordSets",
"route53:GetChange"
],
"Resource": "*"
}
]
}- Click Next
- Name the policy:
OECshIntegrationPolicy - Click Create policy
- Go back to user creation, refresh policies, and attach your new policy
- Click Next, then Create user
Step 3: Create Access Keys
- Click on the newly created user (
oecsh-integration) - Go to Security credentials tab
- Scroll to Access keys section
- Click Create access key
- Select Third-party service
- Check the confirmation box
- Click Next, then Create access key
IMPORTANT: Copy both values immediately - the Secret Access Key is shown only once!
| Credential | Example Format |
|---|---|
| Access Key ID | AKIAIOSFODNN7EXAMPLE |
| Secret Access Key | wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY |
Step 4: Add to OEC.sh
- Go to app.oec.sh (opens in a new tab) > Settings > Cloud Accounts
- Click Add Account
- Under API Key Authentication, click Amazon Web Services
- Fill in the form:
| Field | Value |
|---|---|
| Account Name | AWS Production (or your preferred name) |
| Access Key ID | Paste your Access Key ID |
| Secret Access Key | Paste your Secret Access Key |
| Default Region | us-east-1 (optional, but recommended) |
- Click Add Account
Step 5: Verify Connection
- Your AWS account should appear in the list
- Status should show Active (green badge)
- Click the refresh icon to validate credentials
- You should see: Compute, Storage, DNS capability badges
Common AWS Regions
When specifying a default region, use these codes:
| Region Code | Location | Recommended For |
|---|---|---|
us-east-1 | N. Virginia, USA | General, lowest latency to AWS services |
us-west-2 | Oregon, USA | US West Coast |
eu-west-1 | Ireland | Europe |
eu-central-1 | Frankfurt | Europe, Germany |
ap-southeast-1 | Singapore | Asia Pacific |
ap-northeast-1 | Tokyo | Japan, East Asia |
Security Best Practices
1. Use Dedicated IAM User
Never use:
- Root account credentials
- Personal IAM user credentials
- Credentials shared with other services
2. Rotate Access Keys Regularly
- Create a new access key
- Update OEC.sh with new credentials
- Delete the old access key
- Recommended: Every 90 days
3. Enable MFA for IAM User
While OEC.sh uses access keys (not console login), enabling MFA on the IAM user adds protection against unauthorized console access.
4. Use Resource Tags
OEC.sh adds tags to resources it creates:
CreatedBy: OECshEnvironment: <environment-name>
You can create IAM policies that restrict OEC.sh to only manage tagged resources.
5. Consider VPC Restrictions
For enhanced security, restrict EC2 actions to specific VPCs:
{
"Condition": {
"StringEquals": {
"ec2:Vpc": "arn:aws:ec2:region:account:vpc/vpc-id"
}
}
}Using Your AWS Account
For Server Provisioning
- Go to Servers > Add Server
- Choose Provision from Cloud
- Select your AWS account
- Choose:
- Region (e.g.,
us-east-1) - Instance type (e.g.,
t3.medium) - VPC and subnet (if multiple available)
- Region (e.g.,
- Click Provision
For Backup Storage
- Go to Settings > Storage
- Click Quick Setup on your AWS account (or Add Storage)
- Select an existing S3 bucket or create new
- Configure backup prefix (folder path in bucket)
For DNS Management
- Go to Settings > DNS Providers
- Click Quick Setup on your AWS account
- Select a Route53 hosted zone
- OEC.sh will manage A records for your domains
Troubleshooting
"Invalid credentials" Error
Cause: Access Key ID or Secret is incorrect.
Solution:
- Verify you copied the complete Secret Access Key
- Check for leading/trailing spaces
- Confirm the access key is still active in IAM console
- Create new access keys if needed
"Access Denied" Errors
Cause: IAM user lacks required permissions.
Solution:
- Check the IAM user's attached policies
- Use AWS Policy Simulator (opens in a new tab) to test permissions
- Attach the missing managed policies or update custom policy
EC2 Instance Launch Fails
Cause: Could be region limits, VPC issues, or AMI availability.
Solutions:
- Service Quotas: Check EC2 instance limits in Service Quotas console
- VPC: Ensure the region has a default VPC or specify subnet
- AMI: Verify the selected Ubuntu AMI exists in your region
- Payment: Confirm your AWS account is not suspended
S3 Bucket Access Denied
Cause: Bucket policy or ACL restrictions.
Solution:
- Check bucket permissions in S3 console
- Verify bucket isn't in a different account
- Ensure no bucket policy blocks the IAM user
Route53 Zone Not Found
Cause: Hosted zone doesn't exist or is in a different account.
Solution:
- Verify the domain's hosted zone exists in Route53
- Ensure the domain is registered and delegated to Route53 nameservers
- Check you're using the correct AWS account
Cost Considerations
AWS charges for resources created by OEC.sh:
| Resource | Billing |
|---|---|
| EC2 Instances | Per-hour based on instance type |
| S3 Storage | Per GB stored + data transfer |
| Route53 | Per hosted zone + per million queries |
Tips to minimize costs:
- Use Reserved Instances for production servers
- Enable S3 lifecycle policies for old backups
- Stop non-production instances when not in use