By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

Appstream 2.0 Read-S3Object : Access Denied Error

0

Hi,

I am trying to write a powershell session script that locates an s3 bucket and downloads a file to a local directory on my Appstream 2.0 image builder. I have an IAM role attached to the Image Builder that has S3 ListObject and GetObject permission. When I try to run it, I get the following error:

Read-S3Object : Access Denied

In my S3 bucket, I have given ListObject and GetObject permissions as well as have Block Public Access turned off.

I would greatly appreciate any support I can get.

Thanks

Topics
End User ComputingSecurity, Identity, & Compliance
Tags
Amazon AppStreamIAM Policies
Language
English
Tawanda
asked a month ago66 views
2 Answers
1
Accepted Answer

To use the role you have attached to your AppStream 2.0 fleet instances, you must use the profile name "appstream_machine_role" in your API calls. Are you calling this credential profile with your commands?

See the admin guide for examples: https://docs.aws.amazon.com/appstream2/latest/developerguide/how-to-use-iam-role-with-streaming-instances.html

profile pictureAWS
Justin_G
answered a month ago
profile pictureAWS
EXPERT
Jordan Sandri
reviewed a month ago
0

The "Access Denied" error you're encountering when trying to use Read-S3Object in your AppStream 2.0 image builder could be due to several factors, even though you've taken some important steps. Here are some additional areas to check and potential solutions:

  1. Bucket Policy: Ensure that your S3 bucket has a bucket policy that explicitly allows the AppStream 2.0 service principal to access and download objects. The policy should grant the "s3:GetObject" permission for the specific objects you're trying to access.

  2. VPC Endpoints: If you're using a VPC for your AppStream 2.0 fleet, you may need to set up and configure a VPC endpoint for S3. This allows AppStream 2.0 to access your S3 bucket through the private network. You'll need to attach a custom policy to your VPC endpoint for Amazon S3 to enable this access.

  3. Object ACLs: Check the Access Control List (ACL) settings for the specific objects you're trying to download. Even if the bucket permissions are set correctly, individual object ACLs could be restricting access.

  4. Encryption: If the objects in your S3 bucket are encrypted, ensure that your IAM role has the necessary permissions to decrypt them.

  5. IAM Role Trust Relationship: Verify that the trust relationship of your IAM role allows the AppStream 2.0 service to assume the role.

  6. Cross-Account Access: If the S3 bucket is in a different AWS account than your AppStream 2.0 resources, ensure that you've set up the necessary cross-account permissions.

  7. Service Control Policies: If your organization uses AWS Organizations, check for any Service Control Policies (SCPs) that might be restricting S3 access.

If you've confirmed all these settings and are still encountering issues, you may want to temporarily enable S3 bucket logging to get more detailed information about the access attempts and denials. This can help pinpoint the exact cause of the "Access Denied" error.
Sources
Amazon S3 Bucket Permissions - Amazon AppStream 2.0
Error opening image in s3 bucket | AWS re:Post
Using Amazon S3 VPC Endpoints for AppStream 2.0 Features - Amazon AppStream 2.0
Troubleshoot 403 Access Denied error in Amazon S3 | AWS re:Post

profile picture
re:Post Agent
answered a month ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content