Durch die Nutzung von AWS re:Post stimmt du den AWS re:Post Nutzungsbedingungen
AWS re:Postre:Post

EC2 role-based access to S3 denied

0

I have an EC2 server deploy that has a deploy-server-profile that contains a deploy-server-role. My deploy-server-role has an attached managed policy all-servers that contains 2 rules:

          - Effect: "Allow"
            Action:
              - "s3:GetObject"
            Resource:
              - "arn:aws:s3:::my-app-builds/infrastructure/master/cloud-init"
          - Effect: "Allow"
            Action:
              - "s3:ListBucket"
            Resource:
              - "arn:aws:s3:::my-app-builds"

On the server, I made sure AWS CLI is running with the role

ubuntu@ip-10-63-1-114:~$ aws sts get-caller-identity | jq .Arn
"arn:aws:sts::<my_aws_account>:assumed-role/deploy-server-role/<instance_id>"

And I verified that I could list the bucket

ubuntu@ip-10-63-1-114:~$ aws s3 ls s3://my-app-builds
                           PRE infrastructure/

But I could not download the cloud-init file

ubuntu@ip-10-63-1-114:~$ aws s3api get-object --bucket my-app-builds --key infrastructure/master/cloud-init /tmp/cloud-init.sh

An error occurred (AccessDenied) when calling the GetObject operation: Access Denied
Themen
SpeicherSicherheit, Identität & KonformitätKalkulation
Tags
Amazon Simple Storage ServiceAWS Identity and Access ManagementAmazon EC2
Sprache
English
khuongduybui
gefragt vor 2 Jahren425 Aufrufe
1 Antwort
2
Akzeptierte Antwort

Never mind, I found out that the object was put there without --acl bucket-owner-full-control, so my account never had the permission to delegate in the first place.

khuongduybui
beantwortet vor 2 Jahren

Du bist nicht angemeldet. Anmelden um eine Antwort zu veröffentlichen.

Eine gute Antwort beantwortet die Frage klar, gibt konstruktives Feedback und fördert die berufliche Weiterentwicklung des Fragenstellers.

Richtlinien für die Beantwortung von Fragen

Relevanter Inhalt