Reputation: 141
Unable to access files on the tmp directory
I am trying to access the .json file that I have downloaded to the /tmp/ directory using the ebconfig to store private keys on S3.
files:
"/tmp/firebaseadminsdk.json" :
mode: "000400"
owner: root
group: root
authentication: "S3Auth"
source: 'source url'
But its giving me the following error
Error: EACCES: permission denied, open '/tmp/firebaseadminsdk.json'
There a paragraph in the documentation which says
The second entry uses the S3Auth authentication method to download the private key from the specified URL and save it to /etc/pki/tls/certs/server.key. The proxy server can then read the private key from this location to terminate HTTPS connections at the instance.
Unfortunately I am not using any proxy as it is recommended not to use one and if I was to change it to , it causes the health of the instance to turn to severe.
I have double confirm that the IAM account has read and write access to the bucket containing the file. I have also added a bucket policy to give the IAM account full access to interact with the bucket as seen below
{
"Version": "2012-10-17",
"Id": "Policy1546355608026",
"Statement": [
{
"Sid": "Stmt_____",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::______:role/aws-elasticbeanstalk-ec2-role"
},
"Action": "s3:*",
"Resource": "arn:aws:s3:::_____/firebaseadminsdk.json"
}
]
}
I also went to ec2 into my instance and added the S3fullaccess policy to the IAM role being used by the instance but after doing all of that the error still remains.
I am also using a load balancer which might cause some issues?
Error Message
Error: EACCES: permission denied, open '/tmp/firebaseadminsdk.json'
at Object.openSync (fs.js:436:3)
at Object.readFileSync (fs.js:341:35)
at Object.Module._extensions..json (internal/modules/cjs/loader.js:705:20)
at Module.load (internal/modules/cjs/loader.js:598:32)
at tryModuleLoad (internal/modules/cjs/loader.js:537:12)
at Function.Module._load (internal/modules/cjs/loader.js:529:3)
at Module.require (internal/modules/cjs/loader.js:636:17)
at require (internal/modules/cjs/helpers.js:20:18)
at Object.<anonymous> (/var/app/current/index.js:9:22)
at Module._compile (internal/modules/cjs/loader.js:688:30)
fs.js:115
throw err;
Upvotes: 3
Views: 1470
Answers (1)
Reputation:
In your code for file copying change permissions from owner read 400 to read for everyone 444.
files:
"/tmp/firebaseadminsdk.json" :
mode: "000444"
owner: root
group: root
authentication: "S3Auth"
source: 'source url'
Permission read for everyone on private keys may be unsecure.
But I am using it for alpha version of app and later will implement AWS KMS (key management service) also because of key rotation.
Upvotes: 1
Related Questions
- How to fix 'Access Denied' while deleting empty S3 Elastic Beanstalk?
- AWS ElasticBeanstalk - S3. Access Denied
- Can't write to writable folder /tmp/ on S3 bucket
- How do I change file permissions on /tmp during and elastic beanstalk app deploy?
- Rails AWS/EB tmp file permissions
- AWS Elastic Beanstalk Go File Permission Problem
- Permission denied in Elastic Beanstalk
- AWS S3 storage permission denied from Elastic Beanstalk
- Permission denied while elastic beanstalk is retrieving S3 file
- Access Denied to an S3 object in Elastic Beanstalk configuration setting