Can't access s3 buckets after instantiation using IAM profile

Question

Can't access s3 buckets after instantiation using IAM profile

I am trying to access some s3 buckets from an instance created using an IAM profile that allows full access to those s3 buckets. I can perform the required operations with aws cli

. However, my application is written in Ruby and uses a fog

gem. Using fog, I cannot access these buckets. All I get is Access Denied. Also, I took the required keys: aws_access_key_id=`curl http://169.254.169.254/latest/meta-data/iam/security-credentials/${instance_profile} | grep AccessKeyId | cut -d':' -f2 | sed 's/[^0-9A-Z]*//g'`

aws_secret_access_key=`curl http://169.254.169.254/latest/meta-data/iam/security-credentials/${instance_profile} | grep SecretAccessKey | cut -d':' -f2 | sed 's/[^0-9A-Za-z/+=]*//g'`

and tried to access the buckets. Again, access is denied.

Is there anything I should have missed?

+3

ruby amazon-s3 amazon-web-services amazon-iam boto

sameergautam 05 june At 4:29 am

source to share

1 answer

Frederick cheung · Accepted Answer · 2015-06-05T07:39:02+0000

In addition to the access key and private access key, temporary credentials such as those provided by the instance metadata also have a session token - without the token, the credentials are invalid.

Current versions of fog / fog-aws support fetching instance credentials for you, for example

storage = Fog::Storage::AWS.new(region: "eu-west-1", use_iam_profile:true)

This will also validate credentials before expiration

Can't access s3 buckets after instantiation using IAM profile

More articles: