使用 AWS re:Post 即表示您同意 AWS re:Post 使用條款
AWS re:Postre:Post

Trying to follow AWS CLI documentation for EC2 Instance to access S3 Bucket

0

Attempting to utilize the AWS CLI documentation the following works: aws s3 ls s3://mybucketname

With the following is specified in conf file [default] region = us-east-1 credential_source = Ec2InstanceMetadata

I've setup a Role, policy and attached that to the instance

However, if I add the following that the documentation specifies https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-files.html [default] role_arn = arn:aws:iam::12345:role/myrolename region = us-east-1 credential_source = Ec2InstanceMetadata

aws s3 ls s3://mybucketname Will fail with An error occurred (AccessDenied) when calling the AssumeRole operation: User: arn:aws:sts::123456:assumed-role/myrolename/i-12345 is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::123456:role/myrolename

Why do I care that this syntax doesn't work, but he first one does? I'm using CLI to model some product behavior, that I need to specify a Role to Access a bucket. Figured this should work first

主題
安全性、身分識別與合規
標籤
AWS Identity and Access Management
語言
English
BIGBMN
已提問 8 個月前檢視次數 249 次
2 個答案
0

Hello Bigbmn,

Firstly, when you use the AWS CLI, and you've specified the role ARN in the configuration file as you've done, AWS CLI will try to assume that role when executing commands. This essentially means the CLI is requesting temporary credentials for that role to perform actions.

Your error indicates that there's an issue with the permissions associated with assuming that role.

Possible Solution: Adjust the trust relationship of the role. Here's a generic example of what it might look like:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Service": "ec2.amazonaws.com"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}

This is a basic trust policy that allows EC2 instances to assume the role. Depending on your architecture, you might want to narrow down which entities (e.g., specific EC2 roles) can assume this role.

After making adjustments, try the AWS CLI command again. If the issue persists, you might want to verify permissions and trust relationships in the AWS Management Console.

profile picture
Vitor Castellani
已回答 8 個月前
profile picture
專家
Giovanni Lauria
已審閱 7 天前
  • BIGBMN
    8 個月前

    Thanks for the response. The role I'm specifying in the config file, does have that exact Trust relationship.

  • BIGBMN
    8 個月前

    So based on the error I was getting, I needed to adjust the Trusted entities to include the Role, not just the ec2 instances, as follows: { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": "ec2.amazonaws.com", "AWS": "arn:aws:iam::123456:role/myrole }, "Action": [ "sts:AssumeRole" ] } ] }

    Which somewhat is confusing to me. The config file worked if I just had credential_source = Ec2InstanceMetadata

    It originally failed when I added the role_arn to the config file, but then worked when I added that role to the Trust.

    I'm only going down this path, as I want to use software which the goal is to work with Role Based access

0

Hi, for the error "User: arn:aws:sts::123456:assumed-role/myrolename/i-12345 is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::123456:role/myrolename", it indicates that the assumed role session (arn:aws:sts::123456:assumed-role/myrolename/i-12345) tries to assume role myrolename again. When the IAM role myrolename is attached in an EC2 instance, by default, AWS CLI will be able to use that role to perform actions such as S3 operations so that there is no need to reconfigure the AWS CLI to assume the same IAM role.

profile pictureAWS
Feng_C
已回答 8 個月前

您尚未登入。 登入 去張貼答案。

一個好的回答可以清楚地回答問題並提供建設性的意見回饋,同時有助於提問者的專業成長。

回答問題指南

相關內容