AWS IAM Diagnostics, figuring out what role your script is using

I just spent the last hour of my day trying to figure out why my script was saying I didn't have access to a particular resource from within my Docker image. I granted access to the IAM Role for my Docker instance (or so I thought) but it still said it had no access to write to a particular bucket. The request seemed like it was saying there was credentials set, but it wasn't indicating what role the request was made by.

At one point, the AWS-SDK for Node.js would print out a very useful message like "User arn:..... is not allowed to perform action s3:putObject on resource arn:...."

Now, however, it simply told me:

{ [AccessDenied: Access Denied]
  message: 'Access Denied',
  code: 'AccessDenied',
  region: null,
  time: Wed Sep 21 2016 13:51:55 GMT+0000 (UTC),
  requestId: 'REQUEST ID',
  extendedRequestId: 'LONG_REQUEST_ID',
  cfId: undefined,
  statusCode: 403,
  retryable: false,

  retryDelay: 13.531139446422458 } 

That's great, I know the error is Access Denied, and I know it's not a retryable error, but what did it try to do, and who tried to do it?

After stumbling around for awhile, I finally found this:

curl http://169.254.169.254/latest/meta-data/iam/info/

Which told me the IAM role that scripts were assuming in my current EC2/Docker environment:

{
  "Code" : "Success",
  "LastUpdated" : "2016-09-21T13:53:02Z",
  "InstanceProfileArn" : "arn:aws:iam::ACCOUNT-ID:instance-profile/acindex",
  "InstanceProfileId" : "INSTANCE_PROFILE_ID"
}

Not the role I thought it was running as....

Add the permissions to that ARN, and we're set.

Comments

Jakko Bagci said…
Good evening people! Professional writers of one of the best custom essay writing services 2022 grademiners.com will start working on your order once payment is through. We don’t write free papers, however, we write affordable papers that reach academic goals that you set us to meet.
mutterdill said…
This comment has been removed by the author.