Durch die Nutzung von AWS re:Post stimmt du den AWS re:Post Nutzungsbedingungen
AWS re:Postre:Post

S3 Access Denied when copying or listing contents from S3 bucket to EC2

0

Below is the cloud formation template that I am using to create an EC2, IAM Roles to access S3 bucket.

AWSTemplateFormatVersion: '2010-09-09'
Description: Attach IAM Role to an EC2
Parameters:  
  S3KeyId:
    Description: S3 KMS custom key ID
    Type : 'AWS::SSM::Parameter::Value<String>'
    Default: /CNS/resources/s3_key_id
  SecretsmanagerKeyId:
    Description: ID of Secretsmanager KMS custom key
    Type : 'AWS::SSM::Parameter::Value<String>'
    Default: /CNS/resources/secretsmanager_key_id
  # BUCKET_NAME:
  #   Type: String
  #   Description: Name of the S3 Bucket Name
  #   Default: "sc-xxxxxxxxxxxxxxx-pp-o7dyvm3xd-configurestorebucket-4vtqanfcbcl0"

Resources:
  Test:
    Type: AWS::EC2::Instance
    Properties:
      InstanceType: t2.micro
      ImageId: ami-0661da39e6a5cdXXX
      SubnetId: subnet-0061b7c02f9a07XXX
      IamInstanceProfile:
        Ref: ListS3BucketsInstanceProfile
  ListS3BucketsInstanceProfile:
    Type: AWS::IAM::InstanceProfile
    Properties:
      Path: "/"
      Roles:
      - Ref: ListS3BucketsRole
  ListS3BucketsPolicy:
    Type: AWS::IAM::Policy
    Properties:
      PolicyName: ListS3BucketsPolicy
      PolicyDocument:
        Statement:
        - Effect: Allow
          Action:
          - s3:List
          - s3:GetObject
          - s3:GetObjectAcl
          - s3:ListObjectsV2
          - s3:PutObjectAcl
          - s3:PutObject
          - s3:ListObjects
          Resource: "arn:aws:s3:::sc-xxxxxxxxxxxxxxx-pp-o7dyvm3xd-configurestorebucket-4vtqanfcbcl0"
      Roles:
      - Ref: ListS3BucketsRole
  ListS3BucketsRole:
    Type: AWS::IAM::Role
    Properties:
      AssumeRolePolicyDocument:
        Version: '2012-10-17'
        Statement:
        - Effect: Allow
          Principal:
            Service:
            - ec2.amazonaws.com
          Action:
          - sts:AssumeRole
      Path: "/"

When I ssh to the VM, I get error as like below:

Copy Contents from S3 to EC2, Access Denied

aws s3 cp s3://sc-xxxxxxxxxxxxxxx-pp-o7dyvm3xd-configurestorebucket-4vtqanfcbcl0/* . --request-payer requester --recursive
fatal error: An error occurred (AccessDenied) when calling the ListObjectsV2 operation: Access Denied

aws s3 ls s3://sc-xxxxxxxxxxxxxxx-pp-o7dyvm3xd-configurestorebucket-4vtqanfcbcl0/*
An error occurred (AccessDenied) when calling the ListObjectsV2 operation: Access Denied

Listing files in that S3 bucket... Access Denied

aws s3 ls s3://sc-xxxxxxxxxxxxxxx-pp-o7dyvm3xd-configurestorebucket-4vtqanfcbcl0/
An error occurred (AccessDenied) when calling the ListObjectsV2 operation: Access Denied

Any lead shall be greatly appreciated! Thank you.

Themen
SpeicherKalkulationSicherheit, Identität & Konformität
Tags
Amazon Simple Storage ServiceAmazon EC2IAM-Richtlinien
Sprache
English
rePost-User-0579830
gefragt vor einem Jahr609 Aufrufe
2 Antworten
2

Probably the IAM policy has problem. Would you modify as below?

before

PolicyDocument:
        Statement:
        - Effect: Allow
          Action:
          - s3:List
          - s3:GetObject
          - s3:GetObjectAcl
          - s3:ListObjectsV2
          - s3:PutObjectAcl
          - s3:PutObject
          - s3:ListObjects
          Resource: "arn:aws:s3:::sc-xxxxxxxxxxxxxxx-pp-o7dyvm3xd-configurestorebucket-4vtqanfcbcl0"

after

PolicyDocument:
        Statement:
        - Effect: Allow
          Action:
          - s3:ListBucket
          - s3:GetObject
          - s3:GetObjectAcl
          - s3:PutObjectAcl
          - s3:PutObject
          Resource: 
          - "arn:aws:s3:::sc-xxxxxxxxxxxxxxx-pp-o7dyvm3xd-configurestorebucket-4vtqanfcbcl0"
          - "arn:aws:s3:::sc-xxxxxxxxxxxxxxx-pp-o7dyvm3xd-configurestorebucket-4vtqanfcbcl0/*"

It's complicated, but there is not ListObjects in S3 actions and ListBucket is the corresponding action. Resources for GetObject have to specify objects, not a bucket.

imiky
beantwortet vor einem Jahr
1

Your IAM policy allows access to the bucket but not to the objects in the bucket. You'll need to add an additional resource which is "arn:aws:s3:::sc-xxxxxxxxxxxxxxx-pp-o7dyvm3xd-configurestorebucket-4vtqanfcbcl0/*"

This blog post may also assist here.

profile pictureAWS
EXPERTE
Brettski-AWS
beantwortet vor einem Jahr

Du bist nicht angemeldet. Anmelden um eine Antwort zu veröffentlichen.

Eine gute Antwort beantwortet die Frage klar, gibt konstruktives Feedback und fördert die berufliche Weiterentwicklung des Fragenstellers.

Richtlinien für die Beantwortung von Fragen

Relevanter Inhalt