I have ECS container with php script which uses S3
bucket.
My S3
policy is like this below, it gives the access permission to the ECS(or other AWS)
service.
{
"Effect": "Deny",
"Principal": "*",
"Action": [
"s3:PutObject",
"s3:ListBucket",
"s3:GetObject",
"s3:DeleteObject"
],
"Resource": [
"arn:aws:s3:::ss-bucket-stag",
"arn:aws:s3:::ss-bucket-stag/*"
],
"Condition": {
"StringNotLike": {
"aws:PrincipalArn": "*"
},
}
}
However when exeting php code in container,
There comes the error like this ,
message: fopen(https://test-stock.s3.us-west-2.amazonaws.com/test/test.csv): failed to open stream: HTTP request failed! HTTP/1.1 403 Forbidden
I guess fopen
from inside the container to S3
link doesn't seen as AWS service?
If so , how can I set the bucket policy to permit access?
CodePudding user response:
Using fopen
to directly open an HTTP URL that happens to exist in S3 does not sign the request with AWS credentials. So as far as your S3 bucket is concerned that request is coming from some random server that has no aws:PrincipalArn
attached.
You need to use the AWS SDK for PHP to interact with S3. When running in ECS the SDK will sign all the requests to S3 (and other AWS services) with the IAM role assigned to your ECS tasks.