Skip to content
By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

Powershell script works on one EC2 instance but not another

0

I have a simple Powershell script to upload a file to S3. I have 2 EC2 instances that use the same IAM profile. The instances and S3 bucket all live in the same AWS account.

RDP into one instance, open Powershell prompt as admin, and the script works. RDP to the other instance, open Powershell prompt as admin, and the script fails with: Write-S3Object : Access Denied

To check networking/routing, both instances can open a browser and surf the web. I assume the credentials used are the role assigned to the instances.

If it matters, this is the ps1 script (access point obfuscated) $ArtifactFile = "c:\temp\junk1.txt" $S3BucketAP = "arn:aws:s3:us-east-1:1234567890:accesspoint/my-s3-ap" $Key = "Junk3\junk1.txt" Write-S3Object -BucketName $S3BucketAP -Key $Key -File $ArtifactFile

Where else can I look to debug?

Topics
ComputeStorageSecurity, Identity, & Compliance
Tags
Amazon EC2AWS Identity and Access ManagementAWS Tools for Windows PowerShellAmazon Simple Storage Service
Language
English
asked 3 years ago701 views
3 Answers
0
Accepted Answer

On reddit someone suggested I look at environment vars, which got me thinking to check for any profiles. When I dumped the credentials it showed "NetSDKCredentialsFile"

Get-AWSCredential -ListProfileDetail

ProfileName StoreTypeName         ProfileLocation
----------- -------------         ---------------
For_Move    NetSDKCredentialsFile
default     NetSDKCredentialsFile

I found the file here and deleted it: %userprofile%\AppData\Local\AWSToolkit\RegisteredAccounts.json

Everything works as expected now. Must have got installed by accident.

answered 3 years ago
0

I went ahead and swapped to use forward slashes.
Rebooted the instance that is not working and it still doesn't work.
I've run out of things to test. I don't want to create an IAM user with secret key and have to use that but I suppose that is the next step.

answered 3 years ago
  • Brettski-AWS EXPERT
    3 years ago

    No, don't do that - that's definitely an anti-pattern and it leaves you rotating credentials. Not a good idea. The whole point of an instance role is that you don't have to do that. Have you tried copying a file to the same bucket using the AWS CLI? I'm trying to eliminate things to get to the bottom of this.

0

I'm wondering whether the issue here is with the backslash in the key name (Junk3\junk1.txt) and whether you need to escape that (if you want to use a backslash) or whether it's better to use a forward slash (/). That doesn't explain why it behaves differently on the two EC2 instances though.

AWS
EXPERT
answered 3 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Relevant content