skip to Main Content

There have been multiple questions about this topic but everybody seems to have their own situation.

I am trying to upload objects to an S3 bucket. For this, I created a BackendAdmin user in IAM. From localhost, with the credentials from the IAM BackendAdmin user works perfectly fine, and the files are uploaded to S3.

However, from an EC2 instance with ECS, using the same credentials I used locally, the upload fails with Access Denied error.

Why would it fail from my EC2 instance? I read online that EC2 instances may need access to S3 buckets separately. So I created the EcsS3Role role with the AmazonS3FullAccess policy and attached the newly created EcsS3Role role to my instance. Again, Access Denied error.

Next was to try creating policies on the S3 bucket side to make sure my ec2 resource had access. I turned off the Block public access feature and created this bucket policy to allow the Role I had created previously (EcsS3Role) to access S3:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "Statement1",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::12345:role/EcsS3Role"
            },
            "Action": "s3:*",
            "Resource": "arn:aws:s3:::my-bucket-name"
        }
    ]
}

Still, I keep getting Access Denied. I really don’t know what I could be missing here. Recall that everything works fine from my local computer using the exact same AWS IAM user that my EC2 instance is using.

Let me know if there’s more information I can provide to help solve this issue.

Update

I created a task role in my task definition with the AmazonS3FullAccess policy and then restarted my tasks with the new revision. Also deleted the Bucket Policy mentioned above. Still getting an Access Denied error

enter image description here

2

Answers


  1. There is an error in the s3 policy you posted. The final slash star is missing from Resource.

    It should be like this

    "Resource": "arn:aws:s3:::DOC-EXAMPLE-BUCKET/*"
    

    This should be the reason you have no access from the EC2 Iinstance.

    Login or Signup to reply.
  2. It sounds like you provided an EC2 instance profile, but you are running ECS tasks on the EC2 server, which don’t automatically inherit the IAM role of the EC2 instance they are running on. You specifically need to assign an IAM role as the ECS task role (not the task execution role) with the appropriate permissions to access the S3 bucket.

    You’ll need to either make sure the role assigned to the ECS task is also allowed in the S3 bucket policy, or just delete that bucket policy. I suggest deleting the bucket policy for now, as what you are trying to do is open the bucket access up, but what you are really doing is adding an extra security check that needs to pass before the bucket can be accessed, and as mentioned in another answer you have an error in your current bucket policy that will never allow anything to access the bucket.

    Login or Signup to reply.
Please signup or login to give your own answer.
Back To Top
Search