By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Powershell script works on one EC2 instance but not another

0

I have a simple Powershell script to upload a file to S3. I have 2 EC2 instances that use the same IAM profile. The instances and S3 bucket all live in the same AWS account.

RDP into one instance, open Powershell prompt as admin, and the script works. RDP to the other instance, open Powershell prompt as admin, and the script fails with: Write-S3Object : Access Denied

To check networking/routing, both instances can open a browser and surf the web. I assume the credentials used are the role assigned to the instances.

If it matters, this is the ps1 script (access point obfuscated) $ArtifactFile = "c:\temp\junk1.txt" $S3BucketAP = "arn:aws:s3:us-east-1:1234567890:accesspoint/my-s3-ap" $Key = "Junk3\junk1.txt" Write-S3Object -BucketName $S3BucketAP -Key $Key -File $ArtifactFile

Where else can I look to debug?

Topics
StorageSecurity, Identity, & ComplianceCompute
Tags
Amazon Simple Storage ServiceAWS Identity and Access ManagementAmazon EC2AWS Tools for Windows PowerShell
Language
English
rePost-User-2327573
asked a year ago421 views
3 Answers
0
Accepted Answer

On reddit someone suggested I look at environment vars, which got me thinking to check for any profiles. When I dumped the credentials it showed "NetSDKCredentialsFile"

Get-AWSCredential -ListProfileDetail

ProfileName StoreTypeName         ProfileLocation
----------- -------------         ---------------
For_Move    NetSDKCredentialsFile
default     NetSDKCredentialsFile

I found the file here and deleted it: %userprofile%\AppData\Local\AWSToolkit\RegisteredAccounts.json

Everything works as expected now. Must have got installed by accident.

rePost-User-2327573
answered a year ago
0

I went ahead and swapped to use forward slashes.
Rebooted the instance that is not working and it still doesn't work.
I've run out of things to test. I don't want to create an IAM user with secret key and have to use that but I suppose that is the next step.

rePost-User-2327573
answered a year ago
  • Brettski-AWS EXPERT
    a year ago

    No, don't do that - that's definitely an anti-pattern and it leaves you rotating credentials. Not a good idea. The whole point of an instance role is that you don't have to do that. Have you tried copying a file to the same bucket using the AWS CLI? I'm trying to eliminate things to get to the bottom of this.

0

I'm wondering whether the issue here is with the backslash in the key name (Junk3\junk1.txt) and whether you need to escape that (if you want to use a backslash) or whether it's better to use a forward slash (/). That doesn't explain why it behaves differently on the two EC2 instances though.

profile pictureAWS
EXPERT
Brettski-AWS
answered a year ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content