AWS EC2 IAM role access denied on S3

4
votes

I have launched an EC2 instance with IAM role "webapp". role is attached and i can confirm it using

curl http://169.254.169.254/latest/meta-data/iam/security-credentials/webapp
{
  "Code" : "Success",
  "LastUpdated" : "2016-01-04T06:44:50Z",
  "Type" : "AWS-HMAC",
  "AccessKeyId" : "xxx",
  "SecretAccessKey" : "xxx",
  "Token" : "xxx",
  "Expiration" : "2016-01-04T12:46:27Z"
}

webapp Role has an attached policy for S3

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "s3:*",
      "Resource": "*"
    }
  ]
}

But I am unable to access objects on S3. I am using aws-php-sdk

require_once 'vendor/autoload.php';
use Aws\S3\S3Client;

$client = S3Client::factory(array('region'  => 'us-west-2','version'=>'2006-03-01'));
  $result = $client->getObject(array(
    'Bucket' => 'test-bkt88767',
    'Key'    => "file.txt",
  ));
echo $result['Body'] . "\n";

I am getting a 403 forbidden

PHP Fatal error:  Uncaught exception 'Aws\S3\Exception\S3Exception' with message 'Error executing "GetObject" on "https://s3-us-west-2.amazonaws.com/test-bkt88767/file.txt"; AWS HTTP error: Client error: `GET https://s3-us-west-2.amazonaws.com/test-bkt88767/file.txt` resulted in a `403 Forbidden` response:
<?xml version="1.0" encoding="UTF-8"?>
<Error><Code>AccessDenied</Code><Message>Access Denied</Message><RequestId>995F9A (truncated...)
 AccessDenied (client): Access Denied - <?xml version="1.0" encoding="UTF-8"?>
<Error><Code>AccessDenied</Code><Message>Access Denied</Message><RequestId>995F9AC51CC2164F</RequestId><HostId>JPKyfP1LBLW5ky2wH9t2CEjHrKT0tI9zgyXHU/qcJWvBoOwhK7O0dzl1wCjjzV58UhKZVHXvFFg=</HostId></Error>'

do I need to change bucket permissions as well? or I am doing something wrong with the conf. of EC2?

2
amazon-web-servicesamazon-s3amazon-ec2amazon-iam
Does aws-php-sdk automatically use the instance role? I don't see any explicit reference to it in the code.Michael - sqlbot
Check the bucket policy on the s3 bucket, make sure there are no denies on it as well.strongjz

2 Answers

0
votes

Check your webapp role in IAM, it should say something like this:

{
    "Action": [
        "s3:ListBucket"
    ],
    "Resource": "arn:aws:s3:::your_bucket",
    "Effect": "Allow"
},
{
    "Action": [
        "s3:GetObject"
    ],
    "Resource": "arn:aws:s3:::your_bucket/*",
    "Effect": "Allow"
}

IAM Role

0
votes

Can you please check if there are AWS Secret Key and access ID Configured for any user who does not have proper access on the S3 bucket, or you can try hitting s3 API with another, I face the same issue sometime back.