I have an EC2 server deploy
that has a deploy-server-profile
that contains a deploy-server-role
.
My deploy-server-role
has an attached managed policy all-servers
that contains 2 rules:
- Effect: "Allow"
Action:
- "s3:GetObject"
Resource:
- "arn:aws:s3:::my-app-builds/infrastructure/master/cloud-init"
- Effect: "Allow"
Action:
- "s3:ListBucket"
Resource:
- "arn:aws:s3:::my-app-builds"
On the server, I made sure AWS CLI is running with the role
ubuntu@ip-10-63-1-114:~$ aws sts get-caller-identity | jq .Arn
"arn:aws:sts::<my_aws_account>:assumed-role/deploy-server-role/<instance_id>"
And I verified that I could list the bucket
ubuntu@ip-10-63-1-114:~$ aws s3 ls s3://my-app-builds
PRE infrastructure/
But I could not download the cloud-init
file
ubuntu@ip-10-63-1-114:~$ aws s3api get-object --bucket my-app-builds --key infrastructure/master/cloud-init /tmp/cloud-init.sh
An error occurred (AccessDenied) when calling the GetObject operation: Access Denied