10

I have an AWS Elastic Beanstalk Rails app that I am configuring via the config script to pull some files from an S3 bucket. When I start up the application, I keep receiving the following error in the logs (bucket name has been changed for security):

Failed to retrieve https://s3.amazonaws.com/my.bucket/bootstrap.sh: HTTP Error 403 : <?xml version="1.0" encoding="UTF-8"?>
<Error><Code>AccessDenied</Code><Message>Access Denied</Message>

Config file:

packages:
  yum:
    git: []

files:
  /opt/elasticbeanstalk/hooks/appdeploy/pre/01a_bootstrap.sh:
    mode: "00755"
    owner: root
    group: root
    source: https://s3.amazonaws.com/my.bucket/bootstrap.sh

The Elastic Beanstalk environment is setup with the aws-elasticbeanstalk-ec2-role IAM role as it's instance role. This role has the following policy:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "s3:Get*",
        "s3:List*"
      ],
      "Resource": "arn:aws:s3:::my.bucket/*"
    }
  ]
}

And the S3 bucket has the following policy:

{
"Version": "2008-10-17",
"Statement": [
    {
        "Sid": "Stmt1371012493903",
        "Effect": "Allow",
        "Principal": {
            "AWS": "arn:aws:iam::<account #>:role/aws-elasticbeanstalk-ec2-role"
        },
        "Action": [
            "s3:List*",
            "s3:Get*"
        ],
        "Resource": "arn:aws:s3:::my.bucket/*"
    }
]
}

What do I need to change to give my EC2 instances access to my S3 bucket?

dignoe
  • 201
  • 1
  • 2
  • 4

2 Answers2

6

From your EC2 insctance, you will also have to retrieve the temporary credentials in the instance metadata:

curl http://169.254.169.254/latest/meta-data/iam/security-credentials/<your-iam-role-name>

You shall then use the provided access and secret key to access your S3 bucket.

Alain CELESTE
  • 61
  • 1
  • 1
    When you do this through AWS SDK's for the specific language from an application,its internally taken care by the SDK to get the temporary credentials and then refresh them based on specific time intervals. – whokares Sep 25 '14 at 15:31
  • 3
    How do you use the access and secret key to access the S3 bucket? Do you have an example? Cheers – Céline Aussourd Mar 19 '15 at 14:55
0

If it's cross accounts access, check it is not related to ACL headers as mentioned here: https://stackoverflow.com/a/34055538/1736679 (more info in this issue thread: https://github.com/aws/aws-cli/issues/1674)

Also double check the environment / user from which you are running to see if there are no overriding Keys (1AWS_ACCESS_KEY1, etc) in /etc/environment or ~/.aws/credentials

Efren
  • 153
  • 1
  • 11