bearrito
Reputation: 2316
Boto failing to authenticate with S3 IAM role
I have a role named Role1. That role has the below policy applied to it.
I have an ec2 instance that has an IAM role of Role1.
When I attempt to conn.get_bucket('fooo_udata') I am returned a 403 error.
Any ideas about this?
{
"Statement": [
{
"Effect": "Allow",
"Action": ["s3:ListAllMyBuckets"],
"Resource": "arn:aws:s3:::*"
},
{
"Effect": "Allow",
"Action": ["s3:ListBucket","s3:GetBucketLocation","s3:*"],
"Resource": ["arn:aws:s3:::fooo_uadata/","arn:aws:s3:::fooo_uadata/*"]
},
{
"Effect": "Allow",
"Action": ["s3:PutObject","s3:GetObject","s3:DeleteObject"],
"Resource": ["arn:aws:s3:::fooo_uadata/","arn:aws:s3:::fooo_uadata/*"]
}
]
}
Upvotes: 2
Views: 625
Answers (1)
garnaat
Reputation: 45846
I don't think you want to include the "/" character on your bucket policies. So, try changing:
{
"Effect": "Allow",
"Action": ["s3:ListBucket","s3:GetBucketLocation","s3:*"],
"Resource": ["arn:aws:s3:::fooo_uadata/","arn:aws:s3:::fooo_uadata/*"]
},
To this:
{
"Effect": "Allow",
"Action": ["s3:ListBucket","s3:GetBucketLocation","s3:*"],
"Resource": ["arn:aws:s3:::fooo_uadata","arn:aws:s3:::fooo_uadata*"]
},
Since the name of your bucket is foo_uadata not foo_uadata/.
Upvotes: 3
Related Questions
- Why might boto be denied access to S3 with proper IAM keys?
- Connect to Amazon S3 with boto3 with IAM roles
- Access Denied using boto3 through aws Lambda
- AWS boto3 InvalidAccessKeyId when using IAM role
- AWS Boto3 No Credential Error IAM role K8S
- Boto3 not assuming IAM role from credentials where aws-cli does without problem
- Boto generate_url for S3 PUT doesn't work with IAM roles?
- How to give ec2 instance access to s3 using boto3
- boto issue with IAM role
- Boto 403 AccessDenied Exception with IAM user credentials, Works in Cyberduck and AWS web console