stackoom
  简体   繁体   中英

EC2 cannot access S3 object via IAM role

 原文  2020-03-26 06:40:14       amazon-web-services/ amazon-s3/ amazon-ec2/ amazon-iam

Question

I created an IAM role as follows and attached to my EC2 instance:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "s3:Get*",
                "s3:List*"
            ],
            "Resource": "*"
        }
    ]
}

Also added bucket policy for my S3 bucket:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::<my-aws-account-id>:role/Get-Pic"
            },
            "Action": [
                "s3:Get*",
                "s3:List*"
            ],
            "Resource": [
                "arn:aws:s3:::<my-bucket>",
                "arn:aws:s3:::<my-bucket>/*"
            ]
        }
    ]
}

Options of Block public access of S3 are:

  • [on] Block public access to buckets and objects granted through new access control lists (ACLs)
  • [on] Block public access to buckets and objects granted through any access control lists (ACLs)
  • [off] Block public access to buckets and objects granted through new public bucket or access point policies
  • [off] Block public and cross-account access to buckets and objects through any public bucket or access point policies

But I still cannot access my S3 from EC2:

$ curl https://<my-bucket>.s3-ap-southeast-2.amazonaws.com/Instagram.png
<?xml version="1.0" encoding="UTF-8"?>
<Error><Code>AccessDenied</Code><Message>Access Denied</Message><RequestId>2006E789486C0744</RequestId><HostId>DVldRN7BgUXvKvXElPYTVGd7mgAsoPEJkH9D/mlrr4Vv5FNZdr0DLbKTFkGu9ZuCo45yPq+i2rU=</HostId></Error>

Is there anything I should do?

1 answers

solution1
 1 ACCPTED  2020-03-26 06:57:25

The reason it fails is that you are using curl to access objects as if they were publicly accessible. But your bucket policy does not allow for public read access. The correct policy should be :

{
  "Version":"2012-10-17",
  "Statement":[{
    "Sid":"PublicReadGetObject",
        "Effect":"Allow",
      "Principal": "*",
      "Action":["s3:GetObject"],
      "Resource":["arn:aws:s3:::example-bucket/*"
      ]
    }
  ]
}

However, if you don't want your objects to be publicly accessible, on your instance you should be using AWS CLI to get objects, eg aws s3 cp , or SDK, eg boto3's get_object .

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question AWS IAM Role in EC2 and access to S3 from JupyterHub AWS EC2 access to S3 with IAM role AWS EC2 IAM role access denied on S3 AWS EC2 IAM role for S3 access not working Unable to access S3 file with IAM role from EC2 Cannot access s3 from application running on EKS EC2 instance, IAM assume role permissions issue AWS: Mounting S3 bucket to EC2 via s3fs (iam role) executes but does not work Can't access S3 bucket using IAM Role from an EC2 instance AWS EC2 SSH Via Role and Accessing S3 AWS CLI in Windows EC2 cannot use role to access S3
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM