Docker container in EC2 is unable to write data into AWS S3 through AWS SDK

Question

I have a docker machine running on AWS EC2 instance. It suppose to upload data to S3 via SDK client.

1. The docker machine is created in EC2 instance and using following command

--driver amazonec2 \
--amazonec2-open-port ${open-port} \
--amazonec2-region ${region} \
--amazonec2-access-key ${access-key} \
--amazonec2-secret-key ${secret-key} \
--amazonec2-instance-type ${instance_type} \
--amazonec2-ami ${this.ami} \
--amazonec2-security-group ${security_group_name} \
--swarm \
--swarm-discovery token://${swarm_join_token} \
--swarm-addr ${ip_address};

2. I created IAM user with S3fullAccess and also allowed public access S3 full access screen shot

public access screen shot

3. The S3 bucket policy is

    "Version": "2012-10-17",
    "Id": "Policyxxx",
    "Statement": [
        {
            "Sid": "Stmtxxx",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::xxx"
            },
            "Action": "s3:*",
            "Resource": [
                "arn:aws:s3:::xxx",
                "arn:aws:s3:::xxx/*"
            ]
        }
    ]
}

It keeps showing error: AccessDenied: Access Denied. Can someone help me?

Answer 1

The access to S3 from the container running on EC2 instance is not dictated by your IAM user credentials. Instead you should setup IAM role/profile for the instance with S3 permissions, and then provide the role/profile name using option for your docker-machine:

--amazonec2-iam-instance-profile

The permissions of the instance will be available inside the container if you use AWS CLI or SDK.

Instead of bucket policy, its easier to add S3 permissions to the instance role.