Amazon Web Services Question posted in
The official Amazon Web Services documentation can be found here.

Amazon web services – EC2 cannot access S3 in the same account with proper IAM role

I have two EC2 instances: ec2-1 and ec2-2, one s3 bucket: bucket-1, all in the same aws account.

both instances are associated with the same IAM role which has this trust relationship:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "Service": "ec2.amazonaws.com"
            },
            "Action": "sts:AssumeRole"
        }
    ]
}

for permissions policy, this IAM role has AmazonS3FullAccess

I have set up aws credentials via aws configure, typed in the same access/secret keys on both instances.

These two instances have the same VPC, security group, but somehow, ec2-1 could access bucket-1 via aws cli, while ec2-2 cannot and threw this error:

aws s3 ls

An error occurred (AccessDenied) when calling the ListBuckets operation: Access Denied

Could anyone help advise here?

Thanks!

Tags:

2

Answers


  1. 0

    In this simple Lab like VPC, there is no public Internet access unless you have setup an Internet Gateway and/or NAT. If you assign public IP addresses to the EC2 instances (and setup public routing), then a NAT Gateway is not required. If you are running in a private network, you need to provide a way for the EC2 instances to reach the S3 Service Endpoint – either via the Internet to a public endpoint or placing a VPC endpoint for S3 in the VPC.

    This documentation shows how to donfigure an S3 endpoint in your VPC if it is a private subnet.

    Login or Signup to reply.
  2. 0

    Normally, permissions are granted to an Amazon EC2 instance by assigning an IAM Role to the instance. Any software on the instance that uses an AWS SDK will automatically retrieve credentials associated with the IAM Role.

    However, you then mention that you used aws configure to store credentials on the instance. This will likely override the permissions granted via the IAM Role.

    You can use aws sts get-caller-identity to display which IAM entity is currently being used to call AWS. This will help you debug which entity is being used so you can then check if that entity has sufficient permissions.

    If I had to guess, one instance is probably using the IAM Role permissions (and is working) while the other is using the locally-stored credentials (and is failing).

    Login or Signup to reply.
Please signup or login to give your own answer.

Back To Top
Search