AWS EC2 IAM role access denied on S3

Question

I have launched an EC2 instance with IAM role "webapp". role is attached and i can confirm it using

curl http://169.254.169.254/latest/meta-data/iam/security-credentials/webapp
{
  "Code" : "Success",
  "LastUpdated" : "2016-01-04T06:44:50Z",
  "Type" : "AWS-HMAC",
  "AccessKeyId" : "xxx",
  "SecretAccessKey" : "xxx",
  "Token" : "xxx",
  "Expiration" : "2016-01-04T12:46:27Z"
}

webapp Role has an attached policy for S3

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "s3:*",
      "Resource": "*"
    }
  ]
}

But I am unable to access objects on S3. I am using aws-php-sdk

require_once 'vendor/autoload.php';
use Aws\S3\S3Client;

$client = S3Client::factory(array('region'  => 'us-west-2','version'=>'2006-03-01'));
  $result = $client->getObject(array(
    'Bucket' => 'test-bkt88767',
    'Key'    => "file.txt",
  ));
echo $result['Body'] . "\n";

I am getting a 403 forbidden

PHP Fatal error:  Uncaught exception 'Aws\S3\Exception\S3Exception' with message 'Error executing "GetObject" on "https://s3-us-west-2.amazonaws.com/test-bkt88767/file.txt"; AWS HTTP error: Client error: `GET https://s3-us-west-2.amazonaws.com/test-bkt88767/file.txt` resulted in a `403 Forbidden` response:
<?xml version="1.0" encoding="UTF-8"?>
<Error><Code>AccessDenied</Code><Message>Access Denied</Message><RequestId>995F9A (truncated...)
 AccessDenied (client): Access Denied - <?xml version="1.0" encoding="UTF-8"?>
<Error><Code>AccessDenied</Code><Message>Access Denied</Message><RequestId>995F9AC51CC2164F</RequestId><HostId>JPKyfP1LBLW5ky2wH9t2CEjHrKT0tI9zgyXHU/qcJWvBoOwhK7O0dzl1wCjjzV58UhKZVHXvFFg=</HostId></Error>'

do I need to change bucket permissions as well? or I am doing something wrong with the conf. of EC2?

Does aws-php-sdk automatically use the instance role? I don't see any explicit reference to it in the code. — Michael - sqlbot, Jan 04 '16 at 13:01
Check the bucket policy on the s3 bucket, make sure there are no denies on it as well. — strongjz, May 06 '17 at 17:34

score 0 · Answer 1 · answered Jan 29 '18 at 03:11

Check your webapp role in IAM, it should say something like this:

{
    "Action": [
        "s3:ListBucket"
    ],
    "Resource": "arn:aws:s3:::your_bucket",
    "Effect": "Allow"
},
{
    "Action": [
        "s3:GetObject"
    ],
    "Resource": "arn:aws:s3:::your_bucket/*",
    "Effect": "Allow"
}

score 0 · Answer 2 · answered Jan 20 '20 at 06:23

0

Can you please check if there are AWS Secret Key and access ID Configured for any user who does not have proper access on the S3 bucket, or you can try hitting s3 API with another, I face the same issue sometime back.

answered Jan 20 '20 at 06:23

Server Gyan

1
1

AWS EC2 IAM role access denied on S3

2 Answers2

Linked