3

I'm trying to use the S3 Archive method to do a Chef deployment in Opsworks. I put the Chef archive in S3 and copied the address of https://s3.us-east-2.amazonaws.com/redacted/redacted.tar.gz. I gave the Instance Profile used by the instance full read/write access to the "redacted" bucket. However, during a deployment I get "setup_failed" and the logs show a 403 Forbidden while trying to access the S3 archive.

I found some AWS docs that suggested making the archive public. However I do not want my Chef code to be public to the world.

Why am I getting a 403 Forbidden even though the Instance Profile has the correct permissions to the archive?

five_dollar_shake
  • 131
  • 3

2 Answers2

0

How do you access the files in S3 bucket?

  1. Over HTTPS it won't work without making the files public. That's the case if in your Chef script you're doing for example:

    wget https://s3.us-east-2.amazonaws.com/redacted/redacted.tar.gz

  2. To make use of the IAM Role you'll have to download the files using AWS-CLI. That will get the correct permissions and should be able to download the file. For example:

    aws s3 cp s3://redacted/redacted.tar.gz .

    This should work.

Hope that helps :)

MLu
  • 23,798
  • 5
  • 54
  • 81
  • Thanks for the response! Option 1 is out of the question because I can't make it public. Option 2 just flat out doesn't work, which is odd, because it absolutely should work. I've verified the IAM permissions are correct and that I'm using the correct role in the AWS CLI. I'm starting to wonder if there's a bug. – five_dollar_shake Jan 15 '19 at 23:15
  • Something to note about option 2: the address of the bucket has to be a URL (starting with https:..), NOT a s3 resource (starting with s3://...). And we know that IAM permissions don't work when accessing resources over HTTPS. So the options given seem to contradict each other. It makes no sense that it asks for a HTTPS link AND IAM credentials when the two aren't compatible. – five_dollar_shake Jan 15 '19 at 23:17
0

I drove myself nuts trying to get this to work before. Trying to access the bucket during initial boot would always fail. I think it had something to do with boot timing, and Chef asking for the file before the instance had rights to do so.

Sadly I moved on and gave up on the Opsworks chef solution. (This is even after talking to one of their Opsworks techs!) I've moved on the testing the Opsworks Chef Automate solution.

Chris_Work
  • 56
  • 5