Bucket Policy to Restrict Access to an Instance Profile

Question

I am trying to restrict access to an S3 bucket to only EC2 instances with a specific instance profile.  
  
Here's the scenario. I have an S3 bucket into which a file is written. There is a lambda trigger that submits a job to an AWS Batch queue. The Batch compute environment launches an EC2 instance with a specific instance profile that attempts to read the file from S3 for processing. Using the roleId of the role attached to the instance profile I've written the following Bucket Policy,  
  
{  
    "Version": "2012-10-17",  
    "Statement": \[  
        {  
            "Effect": "Deny",  
            "Principal": "*",  
            "Action": "s3:*",  
            "Resource": \[  
                "arn:aws:s3:::MY_BUCKET",  
                "arn:aws:s3:::MY_BUCKET/*"  
            ],  
            "Condition": {  
                "StringNotLike": {  
                    "aws:userId": \[  
                        "AROAMY_ROLEID:*"  
                    ]  
                }  
            }  
        }  
    ]  
}  
  
The read fails.  
  
This policy seems to work fine in other scenarios where I'm not in an AWS Batch environment. For example, a lambda function that uses the same role as it's execution role. The file is readable, no problem.  
  
Is there something different about doing this from with a Batch execution environment that is causing this policy to not work?  
  
Thanks for any help...

Answer

User error

Bucket Policy to Restrict Access to an Instance Profile

相關內容