- Newest
- Most votes
- Most comments
Assuming you have attached correct permissions on relevant role and even S3 bucket allows access, the best way to figure out the issue is to configure S3 server access logs: [+] https://docs.aws.amazon.com/AmazonS3/latest/userguide/enable-server-access-logging.html
However, in addition to enabling the S3 server access logs, try to debug your workflow and stage at which this "Access Denied" error occur. This will help out in isolating the API action that is getting rejected.
With this API action, check the Request ID and Extended Request ID for the respective API in S3 server access logs. Also verify these areas where action can be denied:
- Identity based policy (permission present and checked)
- Resource based policy (bucket in same account so checked)
- Any permission boundary on IAM role
- VPC endpoint policy
- SCP on account
If nothing helps, gather all the details and contact AWS Support.
Did you ever figure out the solution to this problem? I am currently running into the same exact issue. The funny thing is that I only see this issue when trying to use the S3 Environment file from EC2 container instance and it works perfectly fine from Fargate.
I even looked into the EC2 container instance ecs-agent settings and the one that may block communication with the internal endpoints is disabled ECS_AWSVPC_BLOCK_IMDS=false
so i dont know what else could be causing this. I have my ECS container instance role and the task execution role both setup to be able to access the bucket but it doesnt work.
I figured it out... for some reason the EC2 container instances require GetBucketLocation in addition to ListBucket, but Fargate doesnt require GetBucketLocation.
Relevant content
- Accepted Answerasked 2 years ago
- AWS OFFICIALUpdated 3 months ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated 6 days ago