AWS S3 Bucket Policy Access Denied Tag Condition EC2

Question

I've read up and down the documentation, and cannot seem to download files from s3 bucket with bucket policy using wget from instance. I can however download using the s3 cp commands.

Ive tried most if not all global conditions but none seem to allow the wget download. Examples are aws:PrincipalTag, aws:ResourceTag, aws:PrincipalArn for instance profile role attached to instance.

https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazons3.html

{
        "Effect": "Allow",
        "Principal": {
            "AWS": "*"
        },
        "Action": [
            "s3:GetObject",
            "s3:List*"
        ],
        "Resource": [
            "arn:aws:s3:::my-config-folder/*",
            "arn:aws:s3:::my-config-folder"
        ],
        "Condition": {
            "StringEquals": {
                "aws:ResourceTag/ROLE":"TEST"
            },
            "Bool": {
                "aws:SecureTransport": "true"
            }
        }
    },

"Condition": {
            "ArnLike": {
                "aws:PrincipalArn": [
                    "arn:aws:iam::123456789456:role/instance-role-*",
                    "arn:aws:iam::123456789456:role/instance-profile-*",
                    "arn:aws:iam::123456789456:role/service-role-*",
                    "arn:aws:iam::123456789456:role/instance-role-blue-dev-env",
                    "arn:aws:iam::123456789456:instance-profile/instance-profile-dev",
                    "arn:aws:iam::123456789456:role/instance-role-dev",
                    "arn:aws:iam::123456789456:role/instance-profile-*"
                ]
            }
        }
    },


"Condition": {
            "ArnLike": {
                "ec2:SourceInstanceARN": [
                    "arn:aws:iam::123456789456:role/instance-role-*",
                    "arn:aws:iam::123456789456:role/instance-profile-*",
                    "arn:aws:iam::123456789456:role/service-role-*",
                    "arn:aws:iam::123456789456:role/instance-role-blue-dev-env",
                    "arn:aws:iam::123456789456:instance-profile/instance-profile-dev",
                    "arn:aws:iam::123456789456:role/instance-role-dev",
                    "arn:aws:iam::123456789456:role/instance-profile-*"
                ]
            }
        }
    },

https://docs.aws.amazon.com/AmazonECS/latest/developerguide/taskdef-envfiles.html https://docs.aws.amazon.com/AmazonECS/latest/developerguide/task_definition_parameters.html#container_definition_image

"command": [],
  "linuxParameters": null,
  "cpu": 10,
  "environment": [
    {
      "name": "APP_CONFIG_URL",
      "value": "https://my-config-folder.s3-us-west-2.amazonaws.com/test/qa/app/testapp/appconfig.properties"
    },
    {
      "name": "DIRECT_MEMORY_SIZE",
      "value": "512m"
    }

Answer 1

When you use the AWS CLI, the API calls are signed using the credentials stored in your configuration file (or assigned to the EC2 instance via an IAM Role).

However, when you use wget , it does not know your identity, so the request will be denied.

Therefore, it is preferable to use the AWS CLI to download objects, or a program that uses an AWS SDK.

If you really do want to access objects via wget , you can generate Amazon S3 pre-signed URLs , which append identity information and a hashed signature to grant access to private objects.