EC2 cannot access S3 object via IAM role

0
votes

I created an IAM role as follows and attached to my EC2 instance:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "s3:Get*",
                "s3:List*"
            ],
            "Resource": "*"
        }
    ]
}

Also added bucket policy for my S3 bucket:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::<my-aws-account-id>:role/Get-Pic"
            },
            "Action": [
                "s3:Get*",
                "s3:List*"
            ],
            "Resource": [
                "arn:aws:s3:::<my-bucket>",
                "arn:aws:s3:::<my-bucket>/*"
            ]
        }
    ]
}

Options of Block public access of S3 are:

  • [on] Block public access to buckets and objects granted through new access control lists (ACLs)
  • [on] Block public access to buckets and objects granted through any access control lists (ACLs)
  • [off] Block public access to buckets and objects granted through new public bucket or access point policies
  • [off] Block public and cross-account access to buckets and objects through any public bucket or access point policies

But I still cannot access my S3 from EC2:

$ curl https://<my-bucket>.s3-ap-southeast-2.amazonaws.com/Instagram.png
<?xml version="1.0" encoding="UTF-8"?>
<Error><Code>AccessDenied</Code><Message>Access Denied</Message><RequestId>2006E789486C0744</RequestId><HostId>DVldRN7BgUXvKvXElPYTVGd7mgAsoPEJkH9D/mlrr4Vv5FNZdr0DLbKTFkGu9ZuCo45yPq+i2rU=</HostId></Error>

Is there anything I should do?

1
amazon-web-servicesamazon-s3amazon-ec2amazon-iam
Using curl you are accessing the s3 as a public website. IAM role on ec2 has nothing to do with that. Your bucket policy does not allow public access, thus you fail. - Marcin
On EC2 instance you should be using aws cli (or sdk) to access the objects in your bucket, aws s3 cp s3://......, not curl - Marcin

1 Answers

1
votes

The reason it fails is that you are using curl to access objects as if they were publicly accessible. But your bucket policy does not allow for public read access. The correct policy should be:

{
  "Version":"2012-10-17",
  "Statement":[{
    "Sid":"PublicReadGetObject",
        "Effect":"Allow",
      "Principal": "*",
      "Action":["s3:GetObject"],
      "Resource":["arn:aws:s3:::example-bucket/*"
      ]
    }
  ]
}

However, if you don't want your objects to be publicly accessible, on your instance you should be using AWS CLI to get objects, e.g. aws s3 cp, or SDK, e.g. boto3's get_object.