AWS re:Post을(를) 사용하면 다음에 동의하게 됩니다. AWS re:Post 이용 약관
AWS re:Postre:Post

Trying to follow AWS CLI documentation for EC2 Instance to access S3 Bucket

0

Attempting to utilize the AWS CLI documentation the following works: aws s3 ls s3://mybucketname

With the following is specified in conf file [default] region = us-east-1 credential_source = Ec2InstanceMetadata

I've setup a Role, policy and attached that to the instance

However, if I add the following that the documentation specifies https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-files.html [default] role_arn = arn:aws:iam::12345:role/myrolename region = us-east-1 credential_source = Ec2InstanceMetadata

aws s3 ls s3://mybucketname Will fail with An error occurred (AccessDenied) when calling the AssumeRole operation: User: arn:aws:sts::123456:assumed-role/myrolename/i-12345 is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::123456:role/myrolename

Why do I care that this syntax doesn't work, but he first one does? I'm using CLI to model some product behavior, that I need to specify a Role to Access a bucket. Figured this should work first

주제
보안, 신원 및 규정 준수
태그
AWS 자격 증명 및 액세스 관리
언어
English
BIGBMN
질문됨 8달 전249회 조회
2개 답변
0

Hello Bigbmn,

Firstly, when you use the AWS CLI, and you've specified the role ARN in the configuration file as you've done, AWS CLI will try to assume that role when executing commands. This essentially means the CLI is requesting temporary credentials for that role to perform actions.

Your error indicates that there's an issue with the permissions associated with assuming that role.

Possible Solution: Adjust the trust relationship of the role. Here's a generic example of what it might look like:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Service": "ec2.amazonaws.com"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}

This is a basic trust policy that allows EC2 instances to assume the role. Depending on your architecture, you might want to narrow down which entities (e.g., specific EC2 roles) can assume this role.

After making adjustments, try the AWS CLI command again. If the issue persists, you might want to verify permissions and trust relationships in the AWS Management Console.

profile picture
Vitor Castellani
답변함 8달 전
profile picture
전문가
Giovanni Lauria
검토됨 7일 전
  • BIGBMN
    8달 전

    Thanks for the response. The role I'm specifying in the config file, does have that exact Trust relationship.

  • BIGBMN
    8달 전

    So based on the error I was getting, I needed to adjust the Trusted entities to include the Role, not just the ec2 instances, as follows: { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": "ec2.amazonaws.com", "AWS": "arn:aws:iam::123456:role/myrole }, "Action": [ "sts:AssumeRole" ] } ] }

    Which somewhat is confusing to me. The config file worked if I just had credential_source = Ec2InstanceMetadata

    It originally failed when I added the role_arn to the config file, but then worked when I added that role to the Trust.

    I'm only going down this path, as I want to use software which the goal is to work with Role Based access

0

Hi, for the error "User: arn:aws:sts::123456:assumed-role/myrolename/i-12345 is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::123456:role/myrolename", it indicates that the assumed role session (arn:aws:sts::123456:assumed-role/myrolename/i-12345) tries to assume role myrolename again. When the IAM role myrolename is attached in an EC2 instance, by default, AWS CLI will be able to use that role to perform actions such as S3 operations so that there is no need to reconfigure the AWS CLI to assume the same IAM role.

profile pictureAWS
Feng_C
답변함 8달 전

로그인하지 않았습니다. 로그인해야 답변을 게시할 수 있습니다.

좋은 답변은 질문에 명확하게 답하고 건설적인 피드백을 제공하며 질문자의 전문적인 성장을 장려합니다.

질문 답변하기에 대한 가이드라인

관련 콘텐츠