Questions tagged with Amazon Simple Storage Service

Content language: English

Sort by most recent

Browse through the questions and answers listed below or filter and sort to narrow down your results.

How to download s3 file to Window 2022 EC2 instance with CloudFormation Init? Getting Access Denied error.

I'm trying to download a file from an S3 bucket onto a EC2 Windows server. I'm set up the IAM role, policy, and profile. In the CloudFormation::Init section of the server, I have different configSets and one of them is downloading a file from the bucket. ``` --- Some items not shown --- "Parameters": { "S3BucketName": { "Description": "The name of an existing S3 bucket that the server needs to access.", "Type": "String", "Default": "ccw-to-rds-poc-1" }, --- Some parameters not shown --- "InstanceRole":{ "Type":"AWS::IAM::Role", "Properties":{ "AssumeRolePolicyDocument":{ "Statement":[ { "Effect":"Allow", "Principal":{ "Service":[ "ec2.amazonaws.com" ] }, "Action":[ "sts:AssumeRole" ] } ] }, "Path":"/" } }, "RolePolicies":{ "Type":"AWS::IAM::Policy", "Properties":{ "PolicyName":"S3Download", "PolicyDocument":{ "Statement":[ { "Action":[ "s3:GetObject" ], "Effect":"Allow", "Resource": {"Fn::Join": ["", ["arn:aws:s3:::", {"Ref": "S3BucketName"}]]} } ] }, "Roles":[ { "Ref":"InstanceRole" } ] } }, "InstanceProfile":{ "Type":"AWS::IAM::InstanceProfile", "Properties":{ "Path":"/", "Roles":[ { "Ref":"InstanceRole" } ] } }, "myAppServer": { "Type": "AWS::EC2::Instance", "Metadata": { "AWS::CloudFormation::Authentication": { "S3AccessCreds": { "type": "S3", "roleName": { "Ref": "InstanceRole" }, "buckets" : [{"Ref": "S3BucketName"}] } }, "AWS::CloudFormation::Init": { "configSets": { "downloadS3Data": ["downloadS3"], "Full": [{"ConfigSet": "downloadS3Data"}, "fullServer"], "default": [ {"ConfigSet": "Full"}], "App": [{"ConfigSet": "downloadS3Data"}, "appServer"], "Interface": [{"ConfigSet": "downloadS3Data"}, "interfaceServer"], "Notification": [{"ConfigSet": "downloadS3Data"}, "notificationServer"] }, "downloadS3": { "files": { "C:\\Users\\Administrator\\Documents\\s3download.bak": { "source": "https://ccw-to-rds-poc-1.s3.us-east-2.amazonaws.com/test.txt", "authentication": "S3AccessCreds" } } }, "fullServer": { "commands": { "test": { "command": "echo \"$MAGIC\"", "env": {"MAGIC": "I am from the full server env"}, "cwd": "C:\\Users\\Administrator\\Desktop" } } }, --- Some config sets not shown --- } }, "Properties": { "IamInstanceProfile": { "Ref": "InstanceProfile" }, "ImageId": "ami-012bb86d0081c5240", "InstanceType": "t2.small", "KeyName": {"Ref": "keypair"}, "SecurityGroupIds": ["sg-0d0b50ca1774707b7"], "UserData" : { "Fn::Base64" : { "Fn::Join" : [ "", [ "<powershell>\n", "cfn-init.exe -v -s ", {"Ref" : "AWS::StackId"}, " -r YourInstance -c ", {"Ref": "CCWServerType"} , " --region ", {"Ref" : "AWS::Region"}, "\n", "</powershell>\n", "<persist>true</persist>" ] ] } } } } ``` When the server runs `"cfn-init.exe -v -s ", {"Ref" : "AWS::StackId"}, " -r YourInstance -c ", {"Ref": "CCWServerType"} , " --region ", {"Ref" : "AWS::Region"}, "\n",`, It creates the `s3download.bak`, but it is empty and gives an Access Denied, (HTTP Error 403). Is there something I'm not doing correctly with the IAM configurations that is causing this? EDIT: I thought that because I am accessing the entire bucket and not just a specific item, like mentioned in [this article](https://aws.amazon.com/blogs/devops/authenticated-file-downloads-with-cloudformation/) that might be the issue. However, after trying `"Action":["s3:*Object"]` and `"Action":["s3.Get*"]`, I still get the same access denied error.
2
answers
0
votes
55
views
asked 2 months ago

Migrate resources to another account

Hello, on account A i hosted some resources that belong to account B that i want to migrate as inventory on account A, i have the following resources: ``` a hosted zone for domain A a hosted zone for domain B many ec2 instances for domaine A 1 x ec2 instance for domain B (for CRM) a static website for domain B in a S3 bucket a website that belong to domain B but hosted on a server that belong to domain A ``` my idea was to start by hosted zone 1. recreate hosted zone for domain B on account B and copy records from account A to account B 2. modify DNS to use this new zone for static website 1. copy S3 bucket enable public access and publish to cloudfront with SSL 2. modify DNS on account A and B to use this new resource for ec2 website 1. on account A, create an AMI of the webserver and share it with account B 2. on account B, deploy ec2 from AMI 3. copy data on this new instance 4. modify DNS on account A and B to use this new resource and finally for CRM server 1. on account A, stop CRM server 2. on account A, create an AMI of the CRM server share it with account B 3. on account B, deploy server from AMI 4. start server 5. modify DNS on account A and B to use this new resource things looks easy but im stuck with the newly created hosted zone because i cannot create A alias record on account B that use aws resources which are still on account A at the moment so im not sure what i have to do. maybe should i start to migrate ec2 instances and static website but i can be in trouble when i will modify DNS to use hosted zone in account B i d like to avoid at maximum a loss of connection what should i do ?
1
answers
0
votes
50
views
asked 2 months ago