Reputation: 3889
AWS EC2 access to S3 with IAM role
Scenario: I have an EC2 instance and a S3 bucket under the same account, and my web app on that EC2 wants access to resources in that bucket.
Following official docs, I created an IAM role with s3access and assigned it to the EC2 instance. To my understanding, now my web app should be able to access the bucket. However, after trials, seems I have to add a allowPublicRead bucket policy like this:
{
"Version": "2008-10-17",
"Statement": [
{
"Sid": "AllowPublicRead",
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::mybucket/*"
}
]
}
Otherwise I got access forbidden.
But why should I use this allowPublicRead bucket policy, since I already granted s3access IAM role to the EC2 instance?
Upvotes: 4
Views: 1104
Answers (1)
Reputation: 32376
S3 s3:GetObject will only allow access to objects from your ec2 instance and what you want is to access these objects from your web-app which means from your browser, in this case these images/objects will be rendered to user browser and if its a public facing application then you need to assign AllowPublicRead permission as well.
Upvotes: 1
Related Questions
- IAM role to access services of another AWS account
- how I grant s3 bucket access with this particular role?
- EC2 cannot access S3 object via IAM role
- AWS IAM access to s3
- Can't access S3 bucket using IAM Role from an EC2 instance
- Grant aws iam role permissions to an iam user in same account
- S3 Cross Account Access With Role
- AWS EC2 SSH Via Role and Accessing S3
- AWS S3 grant access to single IAM user
- Authenticating and using iAM users to access S3