AWS Cloudformation download file from private S3 AWS4-HMAC-SHA256

1
votes

I am trying to use this template to download file from S3 bucket during cloudformation build.

its failing with below error message.

The authorization mechanism you have provided is not supported. Please use AWS4-HMAC-SHA256.

using this template

https://raw.githubusercontent.com/awslabs/aws-hangouts/master/20140130_cfn/s3-role-authentication.json

 2017-08-26 03:13:38,763 [ERROR] Unhandled exception during build: Failed to retrieve https://hello.s3.amazonaws.com/index.html: HTTP Error 400 : <?xml version="1.0" encoding="UTF-8"?>
<Error><Code>InvalidRequest</Code><Message>The authorization mechanism you have provided is not supported. Please use AWS4-HMAC-SHA256.</Message><RequestId>5328A90F4EBF081D</RequestId><HostId>nUyURkNRX7Ty5xU1LiY3wO/aFDzjiWYw9JWq0PlVdmjMCqUP7sG8FN1w5BwmtEWc8IKpeMqkv6k=</HostId></Error>
Traceback (most recent call last):
  File "/opt/aws/bin/cfn-init", line 171, in <module>
    worklog.build(metadata, configSets)
  File "/usr/lib/python2.7/site-packages/cfnbootstrap/construction.py", line 129, in build
    Contractor(metadata).build(configSets, self)
2
amazon-web-servicesamazon-s3amazon-cloudformation

2 Answers

1
votes

I also get "AWS4-HMAC-SHA256" error i will explain the scenario and how did i fix that so it will help somebody. Error got because my bucket was in a different region than the region that i provision my cloudformation stack.

  • Use the https://<bucket-region>amazonaws.com/<bucket>/<file-name> as the bucket object url
  • You need to use the same role in the Authentication section that has use in the instance profile for the EC2 instance.

Here is the cloudformation template

Resources:
  MyEC2:
    Type: "AWS::EC2::Instance"
    Properties:
      IamInstanceProfile: !Ref IAMRoleS3FullAccessInstanceProfile 
    ......
    Metadata:
      AWS::CloudFormation::Authentication:
        S3BucketAccessCredential:
          type: "S3"
          roleName: !Ref IAMRoleS3FullAccess

      AWS::CloudFormation::Init:
        config:
          .....
          files:
            /etc/nginx/sites-available/webserver:
              source: "https://<bucket-region>amazonaws.com/<bucket>/<file-name>"
              mode: "000600"
              owner: root
              group: root
              authentication: "S3BucketAccessCredential"

  # S3 Access role
  IAMRoleS3FullAccess:
    Type: AWS::IAM::Role
    Properties:
      ManagedPolicyArns: 
        - "arn:aws:iam::aws:policy/AmazonS3FullAccess"
      AssumeRolePolicyDocument:
        Version: '2012-10-17'
        Statement:
        - Effect: Allow
          Principal:
            Service:
            - ec2.amazonaws.com
          Action:
          - sts:AssumeRole
      Path: "/"

  # Instance profile
  IAMRoleS3FullAccessInstanceProfile:
    Type: AWS::IAM::InstanceProfile
    Properties:
      Path: "/"
      Roles:
      - !Ref IAMRoleS3FullAccess
0
votes

Here is the correct steps to download the file from private S3.

https://aws.amazon.com/blogs/devops/authenticated-file-downloads-with-cloudformation/