stackoom
  简体   繁体   中英

Cannot download from AWS S3: Access Denied

 原文  2017-01-13 05:02:34       amazon-web-services/ amazon-s3/ amazon-ec2

Question

So I'm hosting an web app on EC2 which let users upload/download photos from S3. EC2 and S3 are in the same region.

Credentials : Following the official docs, credentials should be automatically supplied by the IAM role(with s3fullAccess permission) I created and associated to EC2.

Problem : User (from browser) can't download photos, but can successfully upload them. Download link was generated by aws-sdk 's getSignedUrl() method.

Error Message :

InvalidAccessKeyId: The AWS Access Key Id you provided does not exist in our records.

Firstly, access key seems correct as users can successfully upload stuffs.

My guess is that, since the user clicks link in the browser to download, there's no interaction between EC2 and S3, thus IAM role is not used when downloading. But isn't the signedDownloadUrl generated with EC2 credentials? And there's access key pairs supplied altogether in the query string. So my guess might be wrong..

Any suggestion/idea is appreciated.

Edit

I didn't create an IAM user, only have an IAM role. Don't know if this matters.

1 answers

solution1
 1 ACCPTED  2017-01-14 15:18:32

ASIA... is a temporary access key id from a set of temporary credentials for an IAM role. (Role credentials are always temporary.) AKIA... is an IAM user.

The problem here is that the x-amz-security-token accompanying the credentials was not used in the signing process that generated the S3 signed URL, so it doesn't appear in the signed URL... but it needs to be there for this to work.

If you are signing your request using temporary security credentials [...] you must include the corresponding security token in your request by adding the x-amz-security-token header.

http://docs.aws.amazon.com/AmazonS3/latest/dev/RESTAuthentication.html#UsingTemporarySecurityCredentials

If you don't include x-amz-security-token , the system assumes it should look up the access-key-id in the IAM ussr database, and it won't be found there, which causes the InvalidAccessKeyId: The AWS Access Key Id you provided does not exist in our records error.

Note that you can't simply add it to the already-generated URL. It needs to be incorporated into the signing process.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Not able to download file from AWS S3 Access Denied Error Access denied unable to download image from aws s3 Download File from AWS S3 Access Denied Access Denied when trying to download a picture from the aws s3 bucket AWS S3 access denied Access Denied when trying to access S3 from AWS Lambda Intermittent Access Denied error from AWS S3 AWS S3 Access Denied from EC2 and Lambda Serverless AWS (Python) read from S3 : Access Denied AWS S3 403 Access Denied from EC2 instance
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM