I have a bucket policy that whitelists my IP ranges in AWS. I have an EC2 server running a Packer build job, which tries to pull an object from my bucket and I am getting a 403 Forbidden
error, even though the IP of my EC2 server running the said job is clearly within the whitelisted range. Even when I run wget
from a machine within that CIDR
range, I get the same error. I am confused why this is happening. The policy seems fine. Below is my bucket policy, the IP of my server, and the error:
Bucket Policy:
{
"Version": "2012-10-17",
"Id": "S3PolicyId1",
"Statement": [
{
"Sid": "IPAllow",
"Effect": "Allow",
"Principal": "*",
"Action": "s3:GetObject",
"Resource": [
"arn:aws:s3:::xxxxxxx",
"arn:aws:s3:::xxxxxxx/*"
],
"Condition": {
"IpAddress": {
"aws:SourceIp": [
"10.x.x.x/12"
]
}
}
}
]
}
Server IP:
10.x.x.x/32
Error:
ui,message, amazon-ebs: "msg": "Error downloading
https://s3.amazonaws.com/xxxxx/yyyy.zip to C:\\temp\\xxx.zip Exception
calling \"DownloadFile\" with \"2\" argument(s): \"The remote server
returned an error: (403) Forbidden.\""
Amazon S3 lives on the Internet.
Therefore, when communicating with S3, your system will be using a Public IP address .
However your policy only includes private IP addresses . That is why it is not working.
Your options are:
aws:sourceIp
expects a public IP address. Private addresses are, by definition, ambiguous, and 10.xxx/12
is a private (RFC-1918) address, so it will never match.
If you are not using an S3 VPC endpoint, you could whitelist the public IP address of your NAT Gateway (assuming all the instances with access to thr gateway should be able to access the bucket).
If you are using an S3 VPC endpoint, you can't whitelist by IP:
you cannot use the aws:SourceIp condition in your IAM policies for requests to Amazon S3 through a VPC endpoint. This applies to IAM policies for users and roles, and any bucket policies. If a statement includes the aws:SourceIp condition, the value fails to match any provided IP address or range.
https://docs.aws.amazon.com/vpc/latest/userguide/vpc-endpoints-s3.html
Also, there's this:
Note: It's a best practice not to use the
aws:SourceIp
condition key.https://aws.amazon.com/premiumsupport/knowledge-center/iam-restrict-calls-ip-addresses/
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.