Im having trouble pulling scripts from a s3 bucket to my aws workspace. I cant use access key or secret keys because they seem to be temporary and the script will be used my our support team in our org so for security reasons access keys will not be suitable. I believe the best route for this is attaching a role to my workspace to connect to s3 so I have attach a role with a policy to pull all scripts to my workspace. But for some reason Im still receiving this error.
D:Script Testnewfile3.ps1 : Failed to download file from S3: The AWS Access Key Id you provided does not
exist in our records.
+ CategoryInfo : NotSpecified: (:) [Write-Error], WriteErrorException
+ FullyQualifiedErrorId : Microsoft.PowerShell.Commands.WriteErrorException,newfile3.ps1
HERE is the script:
# Import the AWS PowerShell module
Import-Module AWSPowerShell -Force
# Define the S3 bucket and object key
$bucketName = "bucket-name"
$objectKey = "new ad account/fd new ad account V4.ps1"
# Define the local file path where you want to save the downloaded code
$localFilePath = "D:Script Test" # Replace with your desired local file path
# Download the code from S3
try {
Read-S3Object -SecretKey $secretKey -AccessKey $accessKey -Region us-west-2 -BucketName $bucketName -Key $objectKey -File $localFilePath -ErrorAction Stop
Write-Host "File downloaded successfully from S3."
}
catch {
Write-Error "Failed to download file from S3: $_"
exit 1
}
# Execute the downloaded code
try {
& $localFilePath
Write-Host "Script executed successfully."
}
catch {
Write-Error "Failed to execute script: $_"
exit 1
}
exit 0
HERE is the policy attached to the workspace role:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::your-bucket-name/*"
}
]
}
HERE is the bucket policy:
{
"Version": "2012-10-17",
"Id": "Policy1711030019865",
"Statement": [
{
"Sid": "AllowWorkspaceToGetObject",
"Effect": "Allow",
"Principal": {
"Service": "workspaces.amazonaws.com"
},
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::your-bucket-name/*"
}
]
}
2
Answers
Obtaining credentials via IAM Roles uses the Amazon EC2 Metadata Service, which is not available for Amazon Workspaces.
The normal method of granting access would be to store IAM User credentials in a local credentials file. However, since this is a violation of your corporate policy, you would need to:
aws sts assume-roleoraws sts get-session-tokencommandsaws configure— this will store the credentials in a local configuration file and they will only be valid for a limited time periodThis is no different to providing credentials on a personal computer, except that your policies mean you only want to use temporary credentials generated by the AWS Security Token Service (STS) instead of permanent credentials generated by AWS Identity and Access Management (IAM).
To grant access to S3 for those credentials, you only need to add permissions to the IAM Role or IAM User that you are using. There is no need to also grant access via the Bucket Policy. Normally, a bucket policy is only used when granting public or cross-account permissions.
Make sure that the IAM role attached to your WorkSpace has the necessary permissions to access the S3 bucket. Your policy looks good but replace "arn:aws:s3:::your-bucket-name/*" with the actual ARN and make sure the role attached to your WorkSpace has the rights.
Also, replace "arn:aws:s3:::your-bucket-name/*" in your bucket policy.
https://docs.aws.amazon.com/workspaces/latest/adminguide/workspaces-access-control.html#workspaces-iam-role