Thanks Sajan,
It isn’t the IAM configuration that is the problem. What I’m trying to do is
use an AWS IAM role, which means I wouldn’t need to create a user account or
embed static credentials into the s3cmd config file.
With a role assigned to the EC2 instance, any tools that support roles are
automatically provided the needed credentials when they run. The access and
secret key are temporary, and not stored in the instance. This is really
powerful for autoscaling and bootstrapping securely.
The alternative (which someone posted) is to do some scripting to pull the temp
credentials into s3cmd when needed, which is what I’ll try next unless anyone
has suggestions for getting IAM role support working (in alpha 3). That’s
similar to your user-based approach, but will use temporary credentials
instead. Then I can revoke the role after the system is up and running and not
worry about affecting anything else.
Thanks,
Rich Mogull
rmog...@securosis.com
AIM: Securosis
Skype: rmogull
work+blog: http://securosis.com
On Jul 7, 2013, at 2:58 PM, Sajan Parikh <sa...@noppix.com> wrote:
> Did you try the config I posted to the list a while ago? I'd been using that
> config for a long while without any issues, even before any sort of support
> in S3Tools.
>
> I created an IAM user, attached the policy I posted before and used the key
> and secret key for that particular user like normal in s3cmd --configure.
>
> Has worked like a charm for a while, and I haven't updated s3cmd in months.
>
> Sajan Parikh
> Owner, Noppix LLC
>
> e: sa...@noppix.com
> p: (563) 726-0371
>
> <emailsiglogo.png>
> On 07/05/2013 09:45 PM, Rich Mogull wrote:
>> Sajan,
>>
>> Here;s the policy I’m using that doesn’t seem to work. This is *before*
>> running —config, since I’m trying to figure out how to script a cloud-init
>> download of some security credentials. Running "s3cmd ls” gives me the
>> access denied error.
>>
>> Thank you for the help,
>>
>> {
>> "Version": "2012-10-17",
>> "Statement": [
>> {
>> "Effect": "Allow",
>> "Action": [
>> "s3:Get*",
>> "s3:List*"
>> ],
>> "Resource": "arn:aws:s3:::<my bucket>"
>> }
>> ]
>> }
>>
>>
>>
>> On Jul 4, 2013, at 1:58 PM, Sajan Parikh <sa...@noppix.com> wrote:
>>
>>> Here's something that should get your started. It would've helped if you
>>> showed us what your config currently looks like.
>>>
>>> {
>>> "Statement": [
>>> {
>>> "Effect": "Allow",
>>> "Action": "*",
>>> "Resource": [
>>> "arn:aws:s3:::your-bucket-name",
>>> "arn:aws:s3:::your-bucket-name/*"
>>> ],
>>> "Condition": {}
>>> }
>>> ]
>>> }
>>> Sajan Parikh
>>> Owner, Noppix LLC
>>>
>>> e: sa...@noppix.com
>>> p: (563) 726-0371
>>>
>>> <emailsiglogo.png>
>>> On 07/04/2013 03:19 PM, Rich Mogull wrote:
>>>> Does anyone have hints on using s3cmd with IAM roles? I have a role
>>>> established and assigned to my EC2 instance, but after installing s3cmd I
>>>> still get access denied. I don't see anything in the documentation. For
>>>> example, do I need to create a special config file? Is there a command
>>>> line parameter?
>>>>
>>>> Thanks
>>>>
>>>> ------------------------------------------------------------------------------
>>>> This SF.net email is sponsored by Windows:
>>>>
>>>> Build for Windows Store.
>>>>
>>>> http://p.sf.net/sfu/windows-dev2dev
>>>> _______________________________________________
>>>> S3tools-general mailing list
>>>> S3tools-general@lists.sourceforge.net
>>>> https://lists.sourceforge.net/lists/listinfo/s3tools-general
>>>
>>> ------------------------------------------------------------------------------
>>> This SF.net email is sponsored by Windows:
>>>
>>> Build for Windows Store.
>>>
>>> http://p.sf.net/sfu/windows-dev2dev_______________________________________________
>>> S3tools-general mailing list
>>> S3tools-general@lists.sourceforge.net
>>> https://lists.sourceforge.net/lists/listinfo/s3tools-general
>>
>>
>>
>> ------------------------------------------------------------------------------
>> This SF.net email is sponsored by Windows:
>>
>> Build for Windows Store.
>>
>> http://p.sf.net/sfu/windows-dev2dev
>>
>>
>> _______________________________________________
>> S3tools-general mailing list
>> S3tools-general@lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/s3tools-general
>
> ------------------------------------------------------------------------------
> This SF.net email is sponsored by Windows:
>
> Build for Windows Store.
>
> http://p.sf.net/sfu/windows-dev2dev_______________________________________________
> S3tools-general mailing list
> S3tools-general@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/s3tools-general
------------------------------------------------------------------------------
This SF.net email is sponsored by Windows:
Build for Windows Store.
http://p.sf.net/sfu/windows-dev2dev
_______________________________________________
S3tools-general mailing list
S3tools-general@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/s3tools-general
