Figured this out. The managed instance had the correct role, I just needed to install the awscli tools first, set the path so that powershell could use them, then issue the standard aws s3 cp command.
Part of my run document looks like this. I'm using chocolatey to get the awscli tools installed.
Set-ExecutionPolicy Bypass -Scope Process -Force; iex ((New-Object System.Net.WebClient).DownloadString('https://chocolatey.org/install.ps1'))
choco install awscli -y
setx PATH "%PATH%;C:\Program Files\Amazon\AWSCLI"
aws s3 cp s3://yadayadayada c:\
then a line to remove the cli tool when done
choco uninstall awscli -y
Too bad the ssm agent doesn't come with aws tools already installed for this kind of stuff, but that's ok.
Edited by: kleinberger on Feb 13, 2019 2:13 PM
How do I join a MS AD domain and still use SSM in a Private Subnet?asked 2 years ago
How do we unzip a file in S3 bucket using C#.NETasked 7 months ago
how to trigger a step function from a s3 object notification?asked 7 months ago
Why do we need S3 bucket versioning enabled in order to do replication?Accepted Answerasked 2 years ago
Can we generate a custom URL to access the s3 bucket object lifetime?asked 4 months ago
From S3 bucket to SFTP serverasked 4 months ago
Can't download file from S3 bucket in another accountasked 2 years ago
Download an object from S3 in a run documentasked 4 years ago
SSM Automation - Download file from S3 - Assume Roleasked 8 months ago
Is it possible to use a private S3 bucket for an OIDC provider?asked 3 months ago