I just spent the last hour of my day trying to figure out why my script was saying I didn't have access to a particular resource from within my Docker image. I granted access to the IAM Role for my Docker instance (or so I thought) but it still said it had no access to write to a particular bucket. The request seemed like it was saying there was credentials set, but it wasn't indicating what role the request was made by.
At one point, the AWS-SDK for Node.js would print out a very useful message like "User arn:..... is not allowed to perform action s3:putObject on resource arn:...."
Now, however, it simply told me:
At one point, the AWS-SDK for Node.js would print out a very useful message like "User arn:..... is not allowed to perform action s3:putObject on resource arn:...."
Now, however, it simply told me:
{ [AccessDenied: Access Denied]
message: 'Access Denied',
code: 'AccessDenied',
region: null,
time: Wed Sep 21 2016 13:51:55 GMT+0000 (UTC),
requestId: 'REQUEST ID',
extendedRequestId: 'LONG_REQUEST_ID',
cfId: undefined,
statusCode: 403,
retryable: false,
retryDelay: 13.531139446422458 }
That's great, I know the error is Access Denied, and I know it's not a retryable error, but what did it try to do, and who tried to do it?
After stumbling around for awhile, I finally found this:
curl http://169.254.169.254/latest/meta-data/iam/info/
Which told me the IAM role that scripts were assuming in my current EC2/Docker environment:
{
"Code" : "Success",
"LastUpdated" : "2016-09-21T13:53:02Z",
"InstanceProfileArn" : "arn:aws:iam::ACCOUNT-ID:instance-profile/acindex",
"InstanceProfileId" : "INSTANCE_PROFILE_ID"
}
Not the role I thought it was running as....
Add the permissions to that ARN, and we're set.
Comments