By using AWS re:Post, you agree to the Terms of Use

SSM Automation - Download file from S3 - Assume Role


I am trying to figure out how to download file(s) from S3, using an SSM Automation document. Note, this is not a "Command" document type, as I need to use Assume Role. The instances themselves shouldn't have access to the bucket by default, which is why I need the Assume Role bit. DownloadContent with a "Command" document type requires the instance to have the IAM policies/roles attached that can read the bucket.

Is there a way to do this without having the iam policy on each instance being modified/have access to the bucket?

1 Answer

With the information provided the easiest way I would find to do this is to first create a role with a policy that allows access to the bucket, then assign the role through the sts:AssumeRole action on the instance profile.

This should allow the instance to assume the role and have access to the bucket both manually and/or automating through SSM.

answered 6 months ago
  • Ya, trying to do this without putting permissions on an instance I don't want them to normally have. Really prefer to do this just through SSM's assume role.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions