So I have created an IAM user and added a permission to access S3 then I have created an EC2 instance and SSH'ed into the it.
After giving "aws s3 ls" command, the reply was "Unable to locate credentials. You can configure credentials by running "aws configure".
so what's the difference between giving IAM credentials(Key and Key ID) using "aws configure" and editing the bucket policy to allow s3 access to my instance's public IP.
Even after editing the bucket policy(JSON) to allow S3 access to my instance's public IP why am I not able to access the s3 bucket unless I use "aws configure"(Key and Key ID)?
Please help! Thanks.
CodePudding user response:
Since you are using EC2 you should really use EC2 Instance Profiles instead of running aws configure
and hard-coding credentials in the file system.
As for the your question of S3 bucket policies versus IAM roles, here is the official documentation on that. They are two separate tools you would use in securing your AWS account.
As for your specific command that failed, note that the AWS CLI tool will always try to look for credentials by default. If you want it to skip looking for credentials you can pass the --no-sign-request
argument.
However, if you were just running aws s3 ls
then that was trying to list all the buckets in your account, which you would have to have IAM credentials for. Individual bucket policies would not be taken into account in that scenario.
If you were running aws s3 ls s3://bucketname
then that may have worked as aws s3 ls s3://bucketname --no-sign-request
.
CodePudding user response:
When you create iam user so there are two parts
- policies
- roles
Policies are attached to user, like what all services user can pr can't access roles are attached to application, what all access that application can have
So you have to permit ec2 to access S3 There are two ways for that
- aws configure
- attach role to ec2 instance
while 1 is tricky and legthy , 2 is easy Go to ec2-instance-> Actions -> Security -> Modify IAM role -> then select role (ec2 s3 access role)
thats it , you can simply do aws s3 ls from ec2 instance