aws s3 command responds with 403 forbidden - amazon-web-services

Trying to install AWS CodeDeploy agent on my EC2 instance
aws s3 cp s3://aws-codedeploy-ap-southeast-2/latest/install . --region ap-southeast-2
fatal error: An error occurred (403) when calling the HeadObject operation: Forbidden
The IAM Role for the instance has Policy Document
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"s3:Get*",
"s3:List*"
],
"Effect": "Allow",
"Resource": "*"
}
]
}
and Trust relationship
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "",
"Effect": "Allow",
"Principal": {
"Service": "codedeploy.ap-southeast-2.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}

I followed the guideline at
http://docs.aws.amazon.com/codedeploy/latest/userguide/codedeploy-agent-operations-install-linux.html
Also I attached AdministratorGroup Policy to my user.
Code Deploy agent is now running in my box.

That command is not correct. cpis used to upload something to S3, to download a file you could use curl or wget:
curl -O https://aws-codedeploy-ap-southeast-2.s3.amazonaws.com/latest/install
or
wget https://aws-codedeploy-ap-southeast-2.s3.amazonaws.com/latest/install

Related

How to solve Access Denied error on AWS S3?

I'm trying to run this command on my AWS cli:
aws s3 ls s3://BUCKET_NAME
But it throws this error:
An error occurred (AccessDenied) when calling the ListObjectsV2 operation: Access Denied
Here are my authorizations, settings and steps I have tried:
I'm an IAM user with administrator privileges.
I've set this policy on my IAM account:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "s3permission",
"Effect": "Allow",
"Action": [
"s3:*"
],
"Resource": [
"arn:aws:s3:::BUCKET_NAME/*"
]
}
]
}
I've set this policy on the BUCKET_NAME.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "s3permission",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::123456789012:user/MY_USERNAME"
},
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::BUCKET_NAME",
"arn:aws:s3:::BUCKET_NAME/*"
]
}
]
}
I've run aws configure and configured my profile.
We're not using VPN.
But it doesn't work. What am I missing?

AWS-CLI S3: Can list but cannot copy

Please help. I have gone through many SO and AWS posts and no solutions seem to be working for me.
I am trying to run the command aws s3 cp s3://buckets/<bucket-name>/<grandparent-dir>/<parent-dir>/<child-dir> <local-dir> --recursive in order to copy all the contents of the child-dir folder to a local-dir folder on my machine. I keep getting the error fatal error: An error occurred (AccessDenied) when calling the ListObjectsV2 operation: Access Denied.
running aws s3 ls <bucket-name>/<grandparent-dir>/<parent-dir>/<child-dir> succesfully prints al the items in the child-dir, so I must have ListObjects permissions.
I am the owner of this bucket. The id printed when running aws s3api list-buckets --query Owner.ID matches the id shown when running aws s3api list-objects --bucket <bucket-name> --prefix "<grandparent-dir>/<parent-dir>/<child-dir>"
I am logged in as an IAM User within the user group groupA
groupA has the following IAM policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"s3:GetAccountPublicAccessBlock",
"s3:ListAllMyBuckets",
"s3:ListAccessPoints"
],
"Resource": "*"
},
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::<bucket-name>/*"
},
{
"Sid": "VisualEditor2",
"Effect": "Allow",
"Action": [
"s3:GetBucketPublicAccessBlock",
"s3:GetBucketPolicyStatus",
"s3:ListBucket",
"s3:GetBucketAcl"
],
"Resource": "arn:aws:s3:::<bucket-name>"
}
]
}
The bucket itself has the followoing bucket policy:
{
"Version": "2012-10-17",
"Id": "Policy1546414473940",
"Statement": [
{
"Sid": "Stmt1546414471931",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::<user-id>:user/<user-name>"
},
"Action": "s3:ListBucket",
"Resource": "arn:aws:s3:::<bucket-name>"
}
]
}
I have run aws configure and put in my valid access_key, secret_key, and region. I have confirmed this with aws configure list as well as opening the /.aws/credentials file. The region selected is the same as the region of the bucket.
I have logged in as the root user and turned all 4 options off for Block Public Access both in the permissions tab of the bucket itself and the account options on the left side menu.
Still, after all this, I am getting the error fatal error: An error occurred (AccessDenied) when calling the ListObjectsV2 operation: Access Denied when trying to run the copy command. However, the list command is working.
What am I doing wrong? Please save me!
If I have left any important information out, please let me know.
After reading the comment by #JohnRotenstein, I realized that when entering the endpoint name for the s3 bucket, the buckets term should not be present. By modifying my endpoint
from:
aws s3 cp s3://buckets/<bucket-name>/<grandparent-dir>/<parent-dir>/<child-dir> <local-dir> --recursive
to:
aws s3 cp s3://<bucket-name>/<grandparent-dir>/<parent-dir>/<child-dir> <local-dir> --recursive
the download started working.
Huge thank you to #JohnRotenstein!

Getting a syntax error in creating a new policy using aws cli

I was tried to run following command to create a new policy.
$ aws iam create-policy --policy-name my-policy --policy-document file://ex-policy.json
But I've gotten following error.
An error occurred (MalformedPolicyDocument) when calling the CreatePolicy operation: Syntax errors in policy.
The policy.json is in my current directory and it looks like this.
{
"Version": "2012-10-17T00:00:00.000Z",
"Statement": [
{
"Effect": "Allow",
"Action": ["sns:Publish"],
"Resource": ["*"]
}
]
}
What is my issue?
In this policy, "Version": "2012-10-17T00:00:00.000Z", is incorrect. It should be:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": ["sns:Publish"],
"Resource": ["*"]
}
]
}

aws assume role on shell script does not assume the role

I'm following a tutorial where I assume roles on EC2 instances so it has access to services. I'm following this tutorial (https://medium.com/swlh/aws-iam-assuming-an-iam-role-from-an-ec2-instance-882081386c49), but I'm stuck on the cli part when I start running a "aws s3 ls". Just so I know it works, I gave the AssumedRole all access to s3.
This is my setup:
ImplicitRole // will be attached to EC2
policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": "sts:AssumeRole",
"Resource": "arn:aws:iam::xxx:role/*"
}
]
}
AssumedRole // will be the role assumed once logged in to EC2
policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:*"
],
"Resource": [
"arn:aws:s3:::*"
]
}
]
}
What happens is I would run the following on cli
aws sts assume-role --role-arn arn:aws:iam::****:role/AssumedRole --role-session-name test-session
Then I will get the Credentials
{
"Credentials": {
"AccessKeyId": "key",
"SecretAccessKey": "secret",
"SessionToken": "longtoken",
"Expiration": "2020-07-08T07:29:51+00:00"
},
"AssumedRoleUser": {
"AssumedRoleId": "AKDIEEOOKDLKSDJFDJ:test-session",
"Arn": "arn:aws:sts::xxxx:assumed-role/AssumedRole/test-session"
}
}
and then will update the variables eg: set AWS_ACCESS_KEY_ID=XXXX , etc
Once done I run the following but it would give me ListObject AccessDenied
aws s3 ls s3://bucket
An error occurred (AccessDenied) when calling the ListObjectsV2 operation: Access Denied

AWS IAM not allowing PutObject

Here is what I did:
1) Added the following policy to a IAM user:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:*"
],
"Resource": "arn:aws:s3:::bucket-name"
}
] }
2) I signed in as that user using the aws-cli
3) Ran the following command:
aws s3 sync ./dist s3://bucket-name/ --delete
I get a bunch of this:
An error occurred (AccessDenied) when calling the PutObject operation:
Access Denied
The strange thing is that this works fine:
aws s3api list-objects --bucket bucket-name
which means that my policy is working at some level...
Thanks in advance
Ok, I figured this out. The policy needs to be:
[
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:*"
],
"Resource": [
"arn:aws:s3:::bucket-name",
"arn:aws:s3:::bucket-name/*"
]
}
]
}
]
note the difference in resources. Basically, the bucket itself is considered a different resource from the objects inside it.