Getting files from an s3 bucket using IAM role credentials

I am trying to retrieve some files from a private s3 bucket to a filesystem location elastic beanstalk ec2 instance, but with no success.

I've created a bucket named dev-config containing a file named local.properties.

I've created a IAM policy

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "s3:*",
            "Resource": [
                "arn:aws:s3:::dev-config",
                "arn:aws:s3:::dev-config/*"
            ]
        }
    ]
}

And associated that policy to a IAM role, that in turn is associated with the EC2 instance. I have confirmed that I can fetch files from the s3 bucket using the aws-cli without providing any additional credentials. i.e. aws s3 ls s3://dev-config/local.properties

To my project I've added the following file:

.ebextensions/01_files.config

"/usr/share/tomcat7/lib/local.properties" :
    mode: "000777"
    owner: ec2-user
    group: ec2-user
    source: http://s3.amazonaws.com/dev-config/local.properties

I've also tried a few variations of the source url

    source: http://dev-config.s3.amazonaws.com/dev-config/local.properties
    source: http://dev-config.s3.amazonaws.com/local.properties
    source: s3://dev-config/local.properties

And I've also tried adding an authentication attribute with no success (there seem to be no docs on possible values for authentication). authentication: S3Access

None of the approaches have worked so far.

In some cases I get access denied messages in the logs:

    <?xml version="1.0" encoding="UTF-8"?>
      <Error><Code>AccessDenied</Code><Message>Access Denied</Message>
      <RequestId>blahblah</RequestId>
      <HostId>blahblah</HostId>
    </Error>

In other cases I have had error messages in the local.properties file itself PermanentRedirect The bucket you are attempting to access must be addressed using the specified endpoint. Please send all future requests to this endpoint. dev-config dev-config.s3.amazonaws.com
blahlblah blahlblah

Has managed to get this working?


After taking a look at this answer to Using environment properties with files in elastic beanstalk config files I added the following section to the .ebextensions/01_files.config

Resources:
  AWSEBAutoScalingGroup:
    Metadata:
      AWS::CloudFormation::Authentication:
        S3Access:
          type: S3
          roleName: aws-elasticbeanstalk-ec2-role
          buckets: dev-config

and updated the s3 url to include the bucket name in the host, so the final file looked like this:

"/usr/share/tomcat7/lib/local.properties" :
    mode: "000777"
    owner: ec2-user
    group: ec2-user
    source: https://dev-config.s3.amazonaws.com/local.properties

Resources:
  AWSEBAutoScalingGroup:
    Metadata:
      AWS::CloudFormation::Authentication:
        S3Access:
          type: S3
          roleName: aws-elasticbeanstalk-ec2-role
          buckets: dev-config

This enabled the elastic beanstalk ec2 instance to use the IAM role associated with it to access the s3 bucket containing the files.

PS: For this configuration to work, make sure that you've granted access to the S3 bucket in question to the aws-elasticbeanstalk-ec2-role principal. You can get the ARN from IAM console.


Try with this IAM. It works for me.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "s3:GetObject"
            ],
            "Resource": [
                "arn:aws:s3:::dev-config",
                "arn:aws:s3:::dev-config/*"
            ]
        }
    ]
}

If you need to have read/write/delete permissions you need something like this:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "s3:DeleteObject",
                "s3:GetObject",
                "s3:PutObject"
            ],
            "Resource": [
                 "arn:aws:s3:::dev-config",
                 "arn:aws:s3:::dev-config/*"
            ]
        }
    ]
}

Regards.