I'm trying to run a bash script on a centos server. I've running the script as the root user (both for file permissions), but I also need to use the aws service permissions that belong to a service account. We have decided not to give the root account access to the AWS environment.
If I run the script manually ./disk-arcive.sh it works without a problem. When I run it from my crontab it silently fails when changing to the aws-cli-user. No error message, and only when started by cron.
How it is being called in Crontab sudo crontab -e:
0 20 * * * /bin/sh /etc/disk-arcive.sh
Summary of shell file:
#!/bin/sh
PATH=/sbin:/bin:/usr/sbin:/usr/bin <<Same as root
find (old stuff) >> /old-stuff.temp
while read line; do
/opt/bin/encryption-tool "$line">> /encrypt_logfile.log << key access requires root permission
done < /old-stuff.temp
while read line; do
sudo -u aws-cli-user /usr/local/bin/aws s3 mv "$line.pgp" s3://mybucket"$line.pgp" >> /bucket_logfile.log #<< switch to user fails, user needed for s3 permissions
sudo -u aws-cli-user echo "User is now aws-cli-user" >> /bucket_logfile.log #<< added for debugging, does not work
echo "looks like $line is done" >> /bucket_logfile.log #<< added for debugging, Works
done < /old-stuff.temp
exit
UPDATE1
I've updated the "user switching" lines to the following. It appears to fail differently however if I use any aws-s3 options (i.e. --sse or --acl) those are being read a part of the su options.
su -l aws-cli-user -c '/usr/local/bin/aws s3 mv "$line.pgp" s3://mybucket"$line.pgp" --sse >> /bucket_logfile.log' #<< switch to user fails, user needed for s3 permissions
su -l aws-cli-user -c 'echo "User is now aws-cli-user $(whoami)" >> /bucket_logfile.log' #<< added for debugging, does not work. enters a blank line into the log file
The output of the echo line shows that the $line is now being passed when the user is switched.
