lwoodson/test.md

## test.md

      
    Raw
  

              test.md
            
          
    Problem

Need to download object from S3 bucket in bv-nexus-qa (us-east-1) onto ec2 instance in bv-nexus (us-east-1):
List objects in bucket...
[root@ip-10-100-27-9 ~]# aws s3 ls s3://bv-service-zkbrowser/

An error occurred (AccessDenied) when calling the ListObjects operation: Access Denied
Download specific object to instance...
[root@ip-10-100-27-9 ~]# aws s3 cp s3://bv-service-zkbrowser/1.0.0/config.yaml .
fatal error: An error occurred (403) when calling the HeadObject operation: Forbidden
bucket access control list

aws s3api get-bucket-acl --bucket bv-service-zkbrowser --profile qa
{
    "Owner": {
        "DisplayName": "amazon-aws-nexus-qa",
        "ID": "eeda226d14aca065bb31e3b3deffc6c524ba417ebcee1de3663f48d517a6db9e"
    },
    "Grants": [
        {
            "Grantee": {
                "Type": "CanonicalUser",
                "DisplayName": "amazon-aws-nexus-qa",
                "ID": "eeda226d14aca065bb31e3b3deffc6c524ba417ebcee1de3663f48d517a6db9e"
            },
            "Permission": "FULL_CONTROL"
        }
    ]
}
object acl

aws s3api get-object-acl --bucket bv-service-zkbrowser --key 1.0.0/config.yaml --profile qa
{
    "Owner": {
        "DisplayName": "amazon-aws-nexus-qa",
        "ID": "eeda226d14aca065bb31e3b3deffc6c524ba417ebcee1de3663f48d517a6db9e"
    },
    "Grants": [
        {
            "Grantee": {
                "Type": "CanonicalUser",
                "DisplayName": "amazon-aws-nexus-qa",
                "ID": "eeda226d14aca065bb31e3b3deffc6c524ba417ebcee1de3663f48d517a6db9e"
            },
            "Permission": "FULL_CONTROL"
        }
    ]
}
bucket policy

aws s3api get-bucket-policy --bucket bv-service-zkbrowser --profile qa | jq -r ".Policy" | jq "."
{
  "Version": "2008-10-17",
  "Statement": [
    {
      "Sid": "bv-nexus-accounts",
      "Effect": "Allow",
      "Principal": {
        "AWS": [
          "arn:aws:iam::774013277495:root",
          "arn:aws:iam::468552248569:root"
        ]
      },
      "Action": "s3:*",
      "Resource": [
        "arn:aws:s3:::bv-service-zkbrowser",
        "arn:aws:s3:::bv-service-zkbrowser/*",
        "arn:aws:s3:::bv-service-zkbrowser/1.0.0/*"
      ]
    }
  ]
}
instance profile ARN

aws ec2 describe-instances --instance-ids i-0b4b157320f8b629d --region us-east-1 | jq ".Reservations[].Instances[0].IamInstanceProfile.Arn"
"arn:aws:iam::774013277495:instance-profile/dev-zkbrowser-test-InstanceProfile-17HM3O3XTWXIC"
Instance profile roles/policies

aws iam get-instance-profile --instance-profile-name dev-zkbrowser-test-InstanceProfile-17HM3O3XTWXIC
{
    "InstanceProfile": {
        "InstanceProfileId": "AIPAJ2OXBD5IPYK4PYASU",
        "Roles": [
            {
                "AssumeRolePolicyDocument": {
                    "Version": "2008-10-17",
                    "Statement": [
                        {
                            "Action": "sts:AssumeRole",
                            "Effect": "Allow",
                            "Principal": {
                                "Service": "ec2.amazonaws.com"
                            }
                        }
                    ]
                },
                "RoleId": "AROAIG3HG3ZGMZO5O5HX2",
                "CreateDate": "2017-06-26T16:56:56Z",
                "RoleName": "dev-zkbrowser-test-InstanceRole-1GYKSVBS3FDD5",
                "Path": "/",
                "Arn": "arn:aws:iam::774013277495:role/dev-zkbrowser-test-InstanceRole-1GYKSVBS3FDD5"
            }
        ],
        "CreateDate": "2017-06-26T16:57:17Z",
        "InstanceProfileName": "dev-zkbrowser-test-InstanceProfile-17HM3O3XTWXIC",
        "Path": "/",
        "Arn": "arn:aws:iam::774013277495:instance-profile/dev-zkbrowser-test-InstanceProfile-17HM3O3XTWXIC"
    }
}