Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Static content for AWS EC2 with IAM role

Tags:

amazon-web-services

amazon-s3

aws-cli

amazon-ec2

amazon-iam

Reading through the / many / resources on how to utilize temporary AWS credentials in a launched EC2 instance, I can't seem to get an extremely simple POC running.

Desired:

  1. Launch an EC2 instance
  2. SSH in
  3. Pull a piece of static content from a private S3 bucket

Steps:

  1. Create an IAM role
  2. Spin up a new EC2 instance with the above IAM role specified; SSH in
  3. Set the credentials using aws configure and the details that (successfully) populated in http://169.254.169.254/latest/meta-data/iam/security-credentials/iam-role-name
  4. Attempt to use the AWS CLI directly to access the file

IAM role:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "s3:GetObject"
      ],
      "Resource": "arn:aws:s3:::bucket-name/file.png"
    }
  ]
}

When I use the AWS CLI to access the file, this error is thrown:

A client error (Forbidden) occurred when calling the HeadObject operation: Forbidden
Completed 1 part(s) with ... file(s) remaining

Which step did I miss?

like image 470
jterry Avatar asked Mar 07 '14 23:03

jterry

People also ask

Can I attach IAM role to EC2 instance?

To attach an IAM role to an instanceOpen the Amazon EC2 console at https://console.aws.amazon.com/ec2/ . In the navigation pane, choose Instances. Select the instance, choose Actions, Security, Modify IAM role. Select the IAM role to attach to your instance, and choose Save.

What is advantage of IAM role with EC2?

Use IAM Roles/Instance Profiles instead of IAM Access Keys to appropriately grant access permissions to any application that perform AWS API requests running on your Amazon EC2 instances. With IAM roles you can avoid sharing long-term credentials and protect your instances against unauthorized access.

Can you host a static website on EC2?

You just follow the below steps and host your website . Go to your AWS account and sign in to console. Search ec2 service in service bar and launch ec2 instance . Connect to your ec2 instance and change your user local to root with the help op “ sudo su ” command.

What are IAM roles for EC2 instances?

IAM roles allow applications running in your EC2 instances to act on your behalf. You can use the Access Policy Language to specify permissions just like an IAM user. On the other hand, unlike a user, a role cannot be used to directly call AWS service APIs.

2 Answers

For future reference, the issue was in how I was calling the AWS CLI; previously I was running:

aws configure

...and supplying the details found in the auto-generated role profile.

Once I simply allowed it to find its own temporary credentials and just specified the only other required parameter manually (region):

aws s3 cp s3://bucket-name/file.png file.png --region us-east-1

...the file pulled fine. Hopefully this'll help out someone in the future!

like image 189
jterry Avatar answered Sep 22 '22 14:09

jterry

Hope this might help some other Googler that lands here.

The 

A client error (403) occurred when calling the HeadObject operation: Forbidden

error can also be caused if your system clock is too far off. I was 12 hours in the past and got this error. Set the clock to within a minute of the true time, and error went away.

like image 25
Don Law Avatar answered Sep 20 '22 14:09

Don Law
Sign in to Comment

Related questions

How does Auto Scaling "place" instances when used with multiple availability zones?
How to rename a file in Amazon S3 Bucket? [duplicate]
Sort by date with jmespath
Terraform state locking using DynamoDB
"message" : "Internal server error" issue with Lambda/API Gateway and iOS
Unable to update AWS S3 CORS POLICY
Setting NODE_ENV variable in elasticbeanstalk
Serverless deploy - Function not found - sls deploy
How can I update files on Amazon's CDN (CloudFront)?
Can I update Amazon's old versions of pip and setuptools?
How to find a file in Amazon S3 bucket without knowing the containing folder
Get object from AWS S3 as a stream
Forgot password link from aws cognito
Cannot run `source` in AWS Codebuild
Quickly finding the size of an S3 'folder'
AWS - EBS Attached But Can't Find On Instance
Status Code 403: SignatureDoesNotMatch when I am using Amazon SES
No such file or directory(public/assets/manifest*)
Amazon SNS: "Platform credentials are invalid" when re-entering a GCM API key that previously worked
PHP AWS SDK throwing unknown error

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!