SSM Automation - Download file from S3 - Assume Role
I am trying to figure out how to download file(s) from S3, using an SSM Automation document. Note, this is not a "Command" document type, as I need to use Assume Role. The instances themselves shouldn't have access to the bucket by default, which is why I need the Assume Role bit. DownloadContent with a "Command" document type requires the instance to have the IAM policies/roles attached that can read the bucket.
Is there a way to do this without having the iam policy on each instance being modified/have access to the bucket?
With the information provided the easiest way I would find to do this is to first create a role with a policy that allows access to the bucket, then assign the role through the sts:AssumeRole action on the instance profile.
This should allow the instance to assume the role and have access to the bucket both manually and/or automating through SSM.
Relevant questions
AWS S3 tar.gz compressed files issue after download from S3
asked 5 years agoCan't download file from S3 bucket in another account
asked 2 years agoBatch download files from multiple different folders in the same S3 bucket
asked 3 months agoS3 download large files (.Net)
asked 5 months agoRunning an automation document starting from a specific step?
Accepted Answerasked 4 months agoSSM Automation Run Command longer than default 3600 seconds
asked 5 years agoSSM Automation - Download file from S3 - Assume Role
asked 2 months agoDownload an object from S3 in a run document
asked 3 years agoHow to Download any file from s3 using the pyspark kernel in emr notebook ?
asked 2 years agoAWS Trigger Automation from CloudWatch scheduled event
asked 3 years ago
Ya, trying to do this without putting permissions on an instance I don't want them to normally have. Really prefer to do this just through SSM's assume role.