Issue
I have created an IAM Role and assigned AmazonS3ReadOnlyAccess
policy to the role.
After that I have attached the IAM role to the EC2 instance as follows:
- Choose the Actions tab, choose Security, and then choose Modify IAM role.
- Select the IAM role that I just created, and then choose Save. The IAM role is assigned to the EC2 instance.
Now, when I login to the EC2 instance and I am still not able to connect to S3 and getting below error:
[root@ip-172-31-13-233 ~]# aws s3 ls
An error occurred (AccessDenied) when calling the ListBuckets operation: Access Denied
[root@ip-172-31-13-233 ~]#
Also aws sts get-caller-identity
is generating below output.
[root@ip-172-31-13-233 ~]# aws sts get-caller-identity
{
"Account": "12345",
"UserId": "CIDA6DCGK7EIXLKYUWLEN",
"Arn": "arn:aws:iam::12345:user/user1"
}
[root@ip-172-31-13-233 ~]#
Solution
For other that might be helpful. What's happening here is that the aws cli that has been installed has been configured with a user. When using EC2, there is no need to do that. you can directly run aws cli and it would automatically fetch credentials from instance metadata (if a role is associated). If, however you had created a user, then you have to go through those steps in order to revert everything back to default:
https://aws.amazon.com/premiumsupport/knowledge-center/iam-ec2-user-role-credentials/
Answered By - Anthony B. Answer Checked By - Marilyn (WPSolving Volunteer)