I am not sure if I am missing a step here or not.
I have an s3 bucket I need to be able to access from an AWS SDK PHP script I wrote running on my EC2. I created an IAM role to allow access.
IAM Allow_S3_Access_to_EC2
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": "s3:ListBucket",
"Resource": "arn:aws:s3:::myinbox"
},
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::myinbox/*"
},
{
"Sid": "VisualEditor2",
"Effect": "Allow",
"Action": "s3:ListAllMyBuckets",
"Resource": "*"
},
{
"Sid": "VisualEditor3",
"Effect": "Allow",
"Action": "s3:DeleteObject",
"Resource": "arn:aws:s3:::myinbox/*"
}
]
}
And my Trust Relationship for the IAM role is
Trust Relationship
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "ec2.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
I then attached that IAM role to my EC2 instance. From what I have read this is all I have to do, but I think I need to do more.
In my Bucket Policy I have the following to allow access from my SES to be able to create the email object.
S3 Bucket Policy
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowSESPuts",
"Effect": "Allow",
"Principal": {
"Service": "ses.amazonaws.com"
},
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::myinbox/*",
"Condition": {
"StringEquals": {
"aws:Referer": "************"
}
}
},
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::************:role/Allow_S3_Access_to_EC2"
},
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::myinbox",
"arn:aws:s3:::myinbox/*"
]
}
]
}
My Bucket Policy has nothing in there for my EC2 or even my IAM role I have attached. Do I need to add something to my Bucket Policy as well? That is where I am confused.
What I am experiencing is when a new object is created and I try and access that object from my AWS SDK PHP I get a "403" Forbidden. If I make that object public in the S3 console I can then access it just fine. So even though I have set permissions for my EC2 to access my S3 unless I make the object public I can't access it.
I even tried using wget
to the object on the actual server through the terminal and I still get the 403
unless I make the object public
When I run the IAM Policy Simulator on my role I get
Here is my PHP
PHP Script
require '../aws-ses/aws-autoloader.php';
use Aws\S3\S3Client;
use Aws\S3\Exception\S3Exception;
$bucketName = 'myinbox';
try {
// Instantiate the client.
$s3 = new S3Client([
'version' => 'latest',
'region' => 'us-west-2',
'credentials' => array('key'=>'*********************',
'secret'=>'*******************************************')
]);
} catch (Exception $e) {
// We use a die, so if this fails. It stops here. Typically this is a REST call so this would
// return a json object.
die("Error: " . $e->getMessage());
}
// Use the high-level iterators (returns ALL of your objects).
$objects = $s3->getIterator('ListObjects', array('Bucket' => $bucketName));
First, did you set up the trust relationship so that the EC2 service can assume that role?
Next, you don't associate IAM roles directly with EC2 instances; instead you need to use an Instance Profile. Did you set up an Instance Profile associated with that Role?
This document is a good start: https://docs.aws.amazon.com/codedeploy/latest/userguide/getting-started-create-iam-instance-profile.html
1) I would make sure that you're ec2 is using the role to call the s3, use the command below to identify
aws sts get-caller-identity
2) I would revoke existing sessions to make sure the new session has refreshed the roles
https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_revoke-sessions.html
3) use the S3 access analyzer to define the access resolving
https://docs.aws.amazon.com/AmazonS3/latest/user-guide/access-analyzer.html
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.