I have a web page on an AWS instance located at /var/www/html/
Until now this website used the keys AWS_ACCESS_KEY_ID
and AWS_SECRET_ACCESS_KEY
in the code itself to access files hosted on S3.
For security reasons,
I have removed these keys from my code and used the aws configure
command to ssh to store them on the server as recommended by AWS.
I see that in my directory ~.aws/
folder has been created with 2 files: credentials
and config
.
Both seem to be correct but in the web logs now I get the following error when trying to access files from S3:
PHP Fatal error: Uncaught Aws\Exception\CredentialsException: Error retrieving credentials from the instance profile metadata server. (Client error: 'GET http://169.254.169.254/latest/meta-data/iam/security-credentials /' resulted in a '404 Not Found resulted in a '404 Not Found' response:
<! DOCTYPE html PUBLIC "- // W3C // DTD XHTML 1.0 Transitional // EN"
"http: // www. (truncated ...)
) in /var/www/html/aws/Aws/Credentials/InstanceProfileProvider.php:88
I don't know what that URL is but I can't access it through the browser.
I have tried it with environment variables: export AWS_ACCESS_KEY_ID = xxxxx...
I have copied the .aws folder to / var / www I have given more permissions to .aws, I have changed the owner and group from root to ec2-user ...
How should I do the configuration so that my code correctly calls S3 and gets the files?
Call example that fails:
$s3 = new Aws\S3\S3Client ([
'version' => 'latest',
'region' => 'eu-central-1'
]);
if ($s3) {
$result = $ s3-> getObject (array (
'Bucket' => AWS_S3_BUCKET,
'Key' => $s3_key,
'Range' => 'bytes ='. $Startpos .'- '. ($Startpos 7)
));
CodePudding user response:
You probably need to move the .aws folder to the home folder of the service (apache) and not your home folder. The aws sdk can't find it and you receive this error. However, it isn't a good idea to use aws configure
inside an EC2 instance.
Only assign required permissions to the role (S3 read/write).
Your code ($s3 = new Aws\S3\S3Client
) will try to load the default credentials. It will first try to call the meta-data service and get temporary credentials that correspond to the IAM role permissions.