Home > Software engineering >  S3 bucket policy for the access from inside of ECS container
S3 bucket policy for the access from inside of ECS container

Time:08-24

I have ECS container with php script which uses S3 bucket.

My S3 policy is like this below, it gives the access permission to the ECS(or other AWS) service.

    {
        "Effect": "Deny",
        "Principal": "*",
        "Action": [
            "s3:PutObject",
            "s3:ListBucket",
            "s3:GetObject",
            "s3:DeleteObject"
        ],
        "Resource": [
            "arn:aws:s3:::ss-bucket-stag",
            "arn:aws:s3:::ss-bucket-stag/*"
        ],
        "Condition": {
            "StringNotLike": {
                "aws:PrincipalArn": "*"
            },
        }
    }

However when exeting php code in container,

There comes the error like this ,

message: fopen(https://test-stock.s3.us-west-2.amazonaws.com/test/test.csv): failed to open stream: HTTP request failed! HTTP/1.1 403 Forbidden

I guess fopen from inside the container to S3 link doesn't seen as AWS service?

If so , how can I set the bucket policy to permit access?

CodePudding user response:

Using fopen to directly open an HTTP URL that happens to exist in S3 does not sign the request with AWS credentials. So as far as your S3 bucket is concerned that request is coming from some random server that has no aws:PrincipalArn attached.

You need to use the AWS SDK for PHP to interact with S3. When running in ECS the SDK will sign all the requests to S3 (and other AWS services) with the IAM role assigned to your ECS tasks.

Page link:https//www.codepudding.com/Softwareengineering/520747.html

Prev:Upload DataFrame to AWS S3 bucket in Julia
Next:Terraform module s3 lifecycle rule not not working
  • Related

About Us:  Contact Us      Terms of Service       Privacy Policy

Copyright © 2010-2023,Powered By CodePudding