By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

EC2 role-based access to S3 denied

0

I have an EC2 server deploy that has a deploy-server-profile that contains a deploy-server-role. My deploy-server-role has an attached managed policy all-servers that contains 2 rules:

          - Effect: "Allow"
            Action:
              - "s3:GetObject"
            Resource:
              - "arn:aws:s3:::my-app-builds/infrastructure/master/cloud-init"
          - Effect: "Allow"
            Action:
              - "s3:ListBucket"
            Resource:
              - "arn:aws:s3:::my-app-builds"

On the server, I made sure AWS CLI is running with the role

ubuntu@ip-10-63-1-114:~$ aws sts get-caller-identity | jq .Arn
"arn:aws:sts::<my_aws_account>:assumed-role/deploy-server-role/<instance_id>"

And I verified that I could list the bucket

ubuntu@ip-10-63-1-114:~$ aws s3 ls s3://my-app-builds
                           PRE infrastructure/

But I could not download the cloud-init file

ubuntu@ip-10-63-1-114:~$ aws s3api get-object --bucket my-app-builds --key infrastructure/master/cloud-init /tmp/cloud-init.sh

An error occurred (AccessDenied) when calling the GetObject operation: Access Denied
Topics
StorageSecurity, Identity, & ComplianceCompute
Tags
Amazon Simple Storage ServiceAWS Identity and Access ManagementAmazon EC2
Language
English
khuongduybui
asked 2 years ago420 views
1 Answer
2
Accepted Answer

Never mind, I found out that the object was put there without --acl bucket-owner-full-control, so my account never had the permission to delegate in the first place.

khuongduybui
answered 2 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content