I have an AWS Elastic Beanstalk Rails app that I am configuring via the config script to pull some files from an S3 bucket. When I start up the application, I keep receiving the following error in the logs (bucket name has been changed for security):

Failed to retrieve https://s3.amazonaws.com/my.bucket/bootstrap.sh: HTTP Error 403 : <?xml version="1.0" encoding="UTF-8"?>
<Error><Code>AccessDenied</Code><Message>Access Denied</Message>

Config file:

packages:
  yum:
    git: []

files:
  /opt/elasticbeanstalk/hooks/appdeploy/pre/01a_bootstrap.sh:
    mode: "00755"
    owner: root
    group: root
    source: https://s3.amazonaws.com/my.bucket/bootstrap.sh

The Elastic Beanstalk environment is setup with the aws-elasticbeanstalk-ec2-role IAM role as it's instance role. This role has the following policy:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "s3:Get*",
        "s3:List*"
      ],
      "Resource": "arn:aws:s3:::my.bucket/*"
    }
  ]
}

And the S3 bucket has the following policy:

{
"Version": "2008-10-17",
"Statement": [
    {
        "Sid": "Stmt1371012493903",
        "Effect": "Allow",
        "Principal": {
            "AWS": "arn:aws:iam::<account #>:role/aws-elasticbeanstalk-ec2-role"
        },
        "Action": [
            "s3:List*",
            "s3:Get*"
        ],
        "Resource": "arn:aws:s3:::my.bucket/*"
    }
]
}

What do I need to change to give my EC2 instances access to my S3 bucket?


Solution 1:

From your EC2 insctance, you will also have to retrieve the temporary credentials in the instance metadata:

curl http://169.254.169.254/latest/meta-data/iam/security-credentials/<your-iam-role-name>

You shall then use the provided access and secret key to access your S3 bucket.