I have 2 IAM Roles A & B that are assumed by 2 EC2 instances. I would like to grand role A access to ServerA/ key and all subkeys and objects in a S3 bucket.
I would like to to the same for Role B but give it access to only ServerB/ key and all subkeys and objects starting with that key
S3 bucket layout:
- SqlServerBackups/
- ServerA/
- DBAdmin/
- DIFF/
- backup1.bak
- ..
- FULL/
- fullbackup1.bak
- ..
- ServerB/
- DBAdmin/
- DIFF/
- backup1.bak
- ..
- FULL/
- fullbackup1.bak
- ..
When I try to perform this sync
aws s3 sync E:\BACKUPS\VOL01\MSSQL15.MSSQLSERVER\MSSQL\Backup\ s3://bucketname/SqlServerBackups/ServerA/
operation from ServerA I am getting this error:
upload failed: E:\BACKUPS\VOL01\MSSQL15.MSSQLSERVER\MSSQL\Backup\OperatorData\LOG\OperatorData.trn to
s3://bucketname/SqlServerBackups/ServerA/OperatorData/LOG/OperatorData_LOG_20221011_111601.trn
An error occurred (AccessDenied) when calling the PutObject operation: Access Denied
This is the custom IAM policy attached to ServerA EC2 :
{
"Statement": [
{
"Action": [
"s3:ListBucket",
"s3:PutObject",
"s3:PutObjectAcl",
"s3:GetObject",
"s3:GetObjectAcl",
"s3:AbortMultipartUpload"
],
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::bucketname",
"arn:aws:s3:::bucketname/ServerA/*"
]
}
],
"Version": "2012-10-17"
}
What am I missing here? My policy seems to be causing the issue but I am not sure what permissions I am missing to fix the issue.
CodePudding user response:
Try this:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "",
"Effect": "Allow",
"Action": "s3:ListBucket",
"Resource": "arn:aws:s3:::<<bucketname>>",
"Condition": {
"StringLike": {
"s3:prefix": "ServerB/*"
}
}
},
{
"Sid": "",
"Effect": "Allow",
"Action": [
"s3:ListBucket",
"s3:PutObject",
"s3:PutObjectAcl",
"s3:GetObject",
"s3:GetObjectAcl",
"s3:AbortMultipartUpload"
],
"Resource": "arn:aws:s3:::<<bucketname>>/ServerB/*"
}
]
}