Access Denied s3cmd from an EC2 machine

Question

I'm trying to use a log rotation configuration for my nginx server that I'm using as a reverse proxy machine located on an EC2 Ubuntu instance.

I want to store those logs on a S3 bucket after a rotation but I'm only getting "access denied, are you sure you keys have ListAllMyBuckets permissions errors" when I'm trying to configure s3cmd tools.

I'm pretty sure that my credentials is correctly configured at IAM, tried at least five different credentials (even the root cred) with the same result. It works fine to list all of my buckets from my local computer with aws cli tools with the same credentials so it puzzles me that I don't have any access just on my EC2 instance.

this is what I run:

which s3cmd
/usr/local/bin/s3cmd

s3cmd --configure --debug

Access Key: **************
Secret Key: *******************************
Encryption password: 
Path to GPG program: /usr/bin/gpg
Use HTTPS protocol: False
HTTP Proxy server name:
HTTP Proxy server port: 0

and this is the result

...
DEBUG: ConnMan.put(): connection put back to pool (http://s3.amazonaws.com#1)
DEBUG: S3Error: 403 (Forbidden)
DEBUG: HttpHeader: x-amz-id-2: nMI8DF+............
DEBUG: HttpHeader: server: AmazonS3
DEBUG: HttpHeader: transfer-encoding: chunked
DEBUG: HttpHeader: x-amz-request-id: 5912737605BB776C
DEBUG: HttpHeader: date: Wed, 23 Apr 2014 13:16:53 GMT
DEBUG: HttpHeader: content-type: application/xml
DEBUG: ErrorXML: Code: 'AccessDenied'
DEBUG: ErrorXML: Message: 'Access Denied'
DEBUG: ErrorXML: RequestId: '5912737605BB776C'
DEBUG: ErrorXML: HostId: 'nMI8DF+............
ERROR: Test failed: 403 (AccessDenied): Access Denied
ERROR: Are you sure your keys have ListAllMyBuckets permissions?

The only thing that is in front of my nginx server is a load balancer, but I can't see why it could interfere with my request. Could it be something else that I've missed?

Answer 1

Please check That IAM user permission which keys you are using

Steps would be

• AWS console go to IAM panel
• IAM user > Select that User > in the bottom menu 2nd tab is permission

• attach a user policy

  {
  "Version": "2012-10-17",
  "Statement": [
   {
    "Effect": "Allow",
    "Action": ["s3:ListAllMyBuckets"],
    "Resource": "arn:aws:s3:::*"
  },
  {
    "Effect": "Allow",
    "Action": [
      "s3:ListBucket",
      "s3:GetBucketLocation"
    ],
    "Resource": "arn:aws:s3:::YOU-Bucket-Name"
  
  },
  {
    "Effect": "Allow",
    "Action": [
      "s3:PutObject",
      "s3:GetObject",
      "s3:DeleteObject"
    ],
    "Resource": "arn:aws:s3:::YOU-Bucket-Name/*"
  
  
  }
  ]
  }
  

Let me know how it goes

Answer 2

Please dont trust the --configure switch:

i was facing the same problem. it was showing 403 in --configure but at the end i saved the Settings and then tried:

ERROR: Test failed: 403 (AccessDenied): Access Denied
Retry configuration? [Y/n] n
Save settings? [y/N] y
Configuration saved to '/root/.s3cfg'

# s3cmd put MyFile s3://MyBucket/

& it worked..

Answer 3

s3cmd creates a file called .s3cfg in your home directory when you set this up. I would make sure you put this file somewhere where your logrotate script can read this, and use the -c flag.

For example to upload the logfile.txt file to the logbucket bucket:

/usr/local/bin/s3cmd -c /home/ubuntu/.s3cfg put logfile.txt s3://logbucket