I am trying to restrict access to an S3 bucket to only EC2 instances with a specific instance profile.
Here's the scenario. I have an S3 bucket into which a file is written. There is a lambda trigger that submits a job to an AWS Batch queue. The Batch compute environment launches an EC2 instance with a specific instance profile that attempts to read the file from S3 for processing. Using the roleId of the role attached to the instance profile I've written the following Bucket Policy,
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Deny",
"Principal": "",
"Action": "s3:",
"Resource": [
"arn:aws:s3:::MY_BUCKET",
"arn:aws:s3:::MY_BUCKET/"
],
"Condition": {
"StringNotLike": {
"aws:userId": [
"AROAMY_ROLEID:"
]
}
}
}
]
}
The read fails.
This policy seems to work fine in other scenarios where I'm not in an AWS Batch environment. For example, a lambda function that uses the same role as it's execution role. The file is readable, no problem.
Is there something different about doing this from with a Batch execution environment that is causing this policy to not work?
Thanks for any help...
