stackoom
  简体   繁体   中英

AWS - Unable to access S3 bucket object from EC2

 原文  2020-02-04 18:57:30       amazon-web-services/ amazon-s3/ amazon-ec2/ amazon-iam

Question

I am not sure if I am missing a step here or not.

I have an s3 bucket I need to be able to access from an AWS SDK PHP script I wrote running on my EC2. I created an IAM role to allow access.

IAM Allow_S3_Access_to_EC2 

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": "s3:ListBucket",
            "Resource": "arn:aws:s3:::myinbox"
        },
        {
            "Sid": "VisualEditor1",
            "Effect": "Allow",
            "Action": "s3:GetObject",
            "Resource": "arn:aws:s3:::myinbox/*"
        },
        {
            "Sid": "VisualEditor2",
            "Effect": "Allow",
            "Action": "s3:ListAllMyBuckets",
            "Resource": "*"
        },
        {
            "Sid": "VisualEditor3",
            "Effect": "Allow",
            "Action": "s3:DeleteObject",
            "Resource": "arn:aws:s3:::myinbox/*"
        }
    ]
}

And my Trust Relationship for the IAM role is

Trust Relationship

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Service": "ec2.amazonaws.com"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}

I then attached that IAM role to my EC2 instance. From what I have read this is all I have to do, but I think I need to do more.

In my Bucket Policy I have the following to allow access from my SES to be able to create the email object.

S3 Bucket Policy 

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AllowSESPuts",
            "Effect": "Allow",
            "Principal": {
                "Service": "ses.amazonaws.com"
            },
            "Action": "s3:PutObject",
            "Resource": "arn:aws:s3:::myinbox/*",
            "Condition": {
                "StringEquals": {
                    "aws:Referer": "************"
                }
            }
        },
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::************:role/Allow_S3_Access_to_EC2"
            },
            "Action": "s3:*",
            "Resource": [
                "arn:aws:s3:::myinbox",
                "arn:aws:s3:::myinbox/*"
            ]
        }
    ]
}

My Bucket Policy has nothing in there for my EC2 or even my IAM role I have attached. Do I need to add something to my Bucket Policy as well? That is where I am confused.

What I am experiencing is when a new object is created and I try and access that object from my AWS SDK PHP I get a "403" Forbidden. If I make that object public in the S3 console I can then access it just fine. So even though I have set permissions for my EC2 to access my S3 unless I make the object public I can't access it.

I even tried using wget to the object on the actual server through the terminal and I still get the 403 unless I make the object public

When I run the IAM Policy Simulator on my role I get

在此处输入图片说明

Here is my PHP

PHP Script 

require '../aws-ses/aws-autoloader.php';

use Aws\S3\S3Client;
use Aws\S3\Exception\S3Exception;

$bucketName = 'myinbox';

try {
// Instantiate the client.
    $s3 = new S3Client([
        'version' => 'latest',
        'region'  => 'us-west-2',
        'credentials' => array('key'=>'*********************',
                    'secret'=>'*******************************************')
    ]);
} catch (Exception $e) {
    // We use a die, so if this fails. It stops here. Typically this is a REST call so this would
    // return a json object.
    die("Error: " . $e->getMessage());
}
// Use the high-level iterators (returns ALL of your objects).
$objects = $s3->getIterator('ListObjects', array('Bucket' => $bucketName));

2 answers

solution1
 0  2020-02-04 19:18:53

First, did you set up the trust relationship so that the EC2 service can assume that role?

Next, you don't associate IAM roles directly with EC2 instances; instead you need to use an Instance Profile. Did you set up an Instance Profile associated with that Role?

This document is a good start: https://docs.aws.amazon.com/codedeploy/latest/userguide/getting-started-create-iam-instance-profile.html

solution2
 0  2020-02-04 20:58:21

1) I would make sure that you're ec2 is using the role to call the s3, use the command below to identify 

aws sts get-caller-identity

2) I would revoke existing sessions to make sure the new session has refreshed the roles

https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_revoke-sessions.html

3) use the S3 access analyzer to define the access resolving

https://docs.aws.amazon.com/AmazonS3/latest/user-guide/access-analyzer.html

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question AWS S3 Bucket Access from EC2 AWS EC2 instance with access to S3 bucket for streaming a video How to configure access to my aws s3 bucket from aws ec2 instance via VPC I am unable to create bucket on S3 from EC2,also unable to access/upload files into S3 bucket from EC2 files copy from ec2 to s3 bucket port in aws Access denied to S3 bucket from ec2 docker container Local access to Amazon S3 Bucket from EC2 instance How to access s3 bucket from ec2 instance Access to Amazon S3 Bucket from EC2 instance unable to send data from ec2 to s3 bucket that is configured with object lock
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM