Hello everyone,
I'm running ECS Fargate tasks and they need to PUT files to an S3 bucket.
I decided to use STS temporary credentials instead of just hardcoding long-lasting credentials in the docker image.
So, I start by requesting this url in bash.
json=$(curl "http://169.254.170.2$AWS_CONTAINER_CREDENTIALS_RELATIVE_URI")
It works, it returns this json output:
{
"RoleArn":"The correct ARN of the Task Role. This role has the s3:PutObject permission.",
"AccessKeyId":"ASIA4H7NO7.....",
"SecretAccessKey":"Some string",
"Token":"Some long string"
}
Now I use the AccessKeyId and SecretAccessKey I got to perform a V4 signature so I can PUT the file to S3.
https://docs.aws.amazon.com/AmazonS3/latest/API/sig-v4-authenticating-requests.html
I get this response, do you have any idea why?
<?xml version="1.0" encoding="UTF-8"?>
<Error>
<Code>InvalidAccessKeyId</Code>
<Message>The AWS Access Key Id you provided does not exist in our records.</Message>
<AWSAccessKeyId>ASIA4H7NO7...</AWSAccessKeyId>
<RequestId>AE2074679...</RequestId>
<HostId>Some long string</HostId>
</Error>
How come it says it does not exist? It's the Access key AWS gave me.
I'm not using SDKs, just scripting some bash which is indeed working fine when I use long-lasting credentials (e.g the AKIA access key).
On a side note... what's with the magic IP 169.254.170.2? Can't I use some host name?
Thanks in advance.
AWS OFFICIALAktualisiert vor 9 Monaten